October 15, 2024 at 01:39PM
The update for watchOS 10.6, available for Apple Watch Series 4 and later, addresses multiple security vulnerabilities including out-of-bounds access, information disclosure, and permissions issues. These fixes prevent app crashes, unauthorized privacy access, and potential gains in local kernel memory knowledge. Release date is July 29, 2024.
**Meeting Takeaways: Security Updates for watchOS 10.6**
**Release Information:**
– **Apple ID:** 120916
– **Release Date:** July 29, 2024
– **Affected Product:** About the security content of watchOS 10.6
– **Update Available For:** Apple Watch Series 4 and later
**Security Issues Addressed:**
1. **CVE-2024-40774**
– **Description:** Downgrade issue addressed with additional code-signing restrictions.
– **Impact:** App may bypass Privacy preferences.
2. **CVE-2024-40799**
– **Description:** Out-of-bounds read issue resolved with improved input validation.
– **Impact:** Maliciously crafted file may cause unexpected app termination.
3. **CVE-2024-40815**
– **Description:** Race condition addressed with additional validation.
– **Impact:** Attacker could bypass Pointer Authentication.
4. **Multiple CVEs (CVE-2024-40795, CVE-2023-6277, CVE-2023-52356, CVE-2024-40806, CVE-2024-40777)**
– **Description:** Out-of-bounds access issues addressed with improved bounds checking.
– **Impact:** Maliciously crafted file may cause unexpected app termination.
5. **CVE-2024-40784 & CVE-2024-27863**
– **Description:** Information disclosure issue resolved with improved private data redaction.
– **Impact:** Local attacker may determine kernel memory layout.
6. **CVE-2024-40788**
– **Description:** Type confusion issue addressed with improved memory handling.
– **Impact:** Potential for unexpected system shutdown by a local attacker.
7. **CVE-2024-40805**
– **Description:** Permissions issue addressed with additional restrictions.
– **Impact:** App may bypass Privacy preferences.
8. **CVE-2024-40813**
– **Description:** Lock screen issue resolved with improved state management.
– **Impact:** Attacker with physical access may use Siri to access sensitive user data.
9. **Multiple CVEs related to out-of-bounds access (CVE-2024-40824, CVE-2024-40835, CVE-2024-40836, CVE-2024-40809, CVE-2024-40812, CVE-2024-40787, CVE-2024-40789)**
– **Description:** Addressed out-of-bounds access issues.
– **Impact:** Processing maliciously crafted web content may lead to unexpected process crashes.
10. **CVE-2024-40793 & CVE-2024-40818**
– **Description:** Addressed issues by restricting options on locked devices.
– **Impact:** Attacker with physical access may use Siri to access sensitive user data.
11. **CVE-2024-40822**
– **Description:** Issues resolved by restricting access on locked devices.
– **Impact:** Potential access to contacts from the lock screen.
12. **Multiple CVEs related to cross-site scripting (CVE-2024-40829, CVE-2024-40776, CVE-2024-40782, CVE-2024-40779, CVE-2024-40780, CVE-2024-40785)**
– **Description:** Improved checks for processing web content.
– **Impact:** Risk of cross-site scripting attacks.
**Overall Impact:**
These updates collectively address a range of vulnerabilities including privacy bypass, system crashes, information disclosures, and risks associated with physical device access. Users are encouraged to update their Apple Watch Series 4 and later to ensure the latest security measures are in place.