{"id":59981,"date":"2024-10-30T02:30:00","date_gmt":"2024-10-29T23:30:00","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/182365\/APPLE-SA-10-28-2024-6.txt"},"modified":"2024-10-30T02:30:00","modified_gmt":"2024-10-29T23:30:00","slug":"apple-security-advisory-10-28-2024-6","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/apple-security-advisory-10-28-2024-6\/","title":{"rendered":"Apple Security Advisory 10-28-2024-6"},"content":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256<\/p>\n

APPLE-SA-10-28-2024-6 watchOS 11.1<\/p>\n

watchOS 11.1 addresses the following issues.
Information about the security content is also available at
https:\/\/support.apple.com\/121565.<\/p>\n

Apple maintains a Security Releases page at
https:\/\/support.apple.com\/100100 which lists recent
software updates with security advisories.<\/p>\n

Accessibility
Available for: Apple Watch Series 6 and later
Impact: An attacker with physical access to a locked device may be able
to view sensitive user information
Description: The issue was addressed with improved authentication.
CVE-2024-44274: Rizki Maulana (rmrizki.my.id), Matthew Butler, Jake
Derouin<\/p>\n

App Support
Available for: Apple Watch Series 6 and later
Impact: A malicious app may be able to run arbitrary shortcuts without
user consent
Description: A path handling issue was addressed with improved logic.
CVE-2024-44255: an anonymous researcher<\/p>\n

CoreMedia Playback
Available for: Apple Watch Series 6 and later
Impact: A malicious app may be able to access private information
Description: This issue was addressed with improved handling of
symlinks.
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab<\/p>\n

CoreText
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted font may result in the
disclosure of process memory
Description: The issue was addressed with improved checks.
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative<\/p>\n

Foundation
Available for: Apple Watch Series 6 and later
Impact: Parsing a file may lead to disclosure of user information
Description: An out-of-bounds read was addressed with improved input
validation.
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day
Initiative<\/p>\n

ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing an image may result in disclosure of process memory
Description: This issue was addressed with improved checks.
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative<\/p>\n

ImageIO
Available for: Apple Watch Series 6 and later
Impact: Processing a maliciously crafted message may lead to a denial-
of-service
Description: The issue was addressed with improved bounds checks.
CVE-2024-44297: Jex Amro<\/p>\n

IOSurface
Available for: Apple Watch Series 6 and later
Impact: An app may be able to cause unexpected system termination or
corrupt kernel memory
Description: A use-after-free issue was addressed with improved memory
management.
CVE-2024-44285: an anonymous researcher<\/p>\n

Kernel
Available for: Apple Watch Series 6 and later
Impact: An app may be able to leak sensitive kernel state
Description: An information disclosure issue was addressed with improved
private data redaction for log entries.
CVE-2024-44239: Mateusz Krzywicki (@krzywix)<\/p>\n

Shortcuts
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44254: Kirin (@Pwnrin)<\/p>\n

Shortcuts
Available for: Apple Watch Series 6 and later
Impact: A malicious app may use shortcuts to access restricted files
Description: A logic issue was addressed with improved checks.
CVE-2024-44269: an anonymous researcher<\/p>\n

Siri
Available for: Apple Watch Series 6 and later
Impact: An app may be able to access sensitive user data
Description: This issue was addressed with improved redaction of
sensitive information.
CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)<\/p>\n

Siri
Available for: Apple Watch Series 6 and later
Impact: A sandboxed app may be able to access sensitive user data in
system logs
Description: An information disclosure issue was addressed with improved
private data redaction for log entries.
CVE-2024-44278: Kirin (@Pwnrin)<\/p>\n

WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may prevent Content
Security Policy from being enforced
Description: The issue was addressed with improved checks.
WebKit Bugzilla: 278765
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft
Pvt. Ltd, Pune (India)<\/p>\n

WebKit
Available for: Apple Watch Series 6 and later
Impact: Processing maliciously crafted web content may lead to an
unexpected process crash
Description: A memory corruption issue was addressed with improved input
validation.
WebKit Bugzilla: 279780
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer
(@p1umer)<\/p>\n

Additional recognition<\/p>\n

Calculator
We would like to acknowledge Kenneth Chew for their assistance.<\/p>\n

Calendar
We would like to acknowledge K\u5b9d(@Pwnrin) for their assistance.<\/p>\n

ImageIO
We would like to acknowledge Amir Bazine and Karsten K\u00f6nig of
CrowdStrike Counter Adversary Operations, an anonymous researcher for
their assistance.<\/p>\n

Messages
We would like to acknowledge Collin Potter, an anonymous researcher for
their assistance.<\/p>\n

NetworkExtension
We would like to acknowledge Patrick Wardle of DoubleYou & the
Objective-See Foundation for their assistance.<\/p>\n

Photos
We would like to acknowledge James Robertson for their assistance.<\/p>\n

Security
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of
Alibaba Group for their assistance.<\/p>\n

Siri
We would like to acknowledge Bistrit Dahal for their assistance.<\/p>\n

Instructions on how to update your Apple Watch software are
available at https:\/\/support.apple.com\/108926<\/p>\n

To check the version on your Apple Watch, open the Apple Watch app
on your iPhone and select “My Watch > General > About”.<\/p>\n

Alternatively, on your watch, select “My Watch > General > About”.<\/p>\n

All information is also posted on the Apple Security Releases
web site: https:\/\/support.apple.com\/100100.<\/p>\n

This message is signed with Apple’s Product Security PGP key,
and details are available at:
https:\/\/www.apple.com\/support\/security\/pgp\/<\/p>\n

—–BEGIN PGP SIGNATURE—–<\/p>\n

iQIzBAEBCAAdFiEEsz9altA7uTI+rE\/qX+5d1TXaIvoFAmcgAEsACgkQX+5d1TXa
IvpYqw\/\/e5YtWRJMacUQbK4oainyrTgy1EkXT3mV7zHSmzfMYOrhfGVd\/4yKMsaa
PSrREy9rcN\/oQdLulbAhDfqzEmHSczIxWeP4J48xSR6Od\/PY9KFdg4tUJ\/DjWp62
LgvsxyOY6HFt5vvzh0Cguf7xjskHgHKAgX+PbByT\/RNLEOk8Q4F3acKyq1D3oGH4
5yRBHkNyY2rpJtu\/6wrxKrn5+H\/OFDcO9ABp772nGm75pa1aaxuLlocVdOezZAod
uWmApZDfLns3wh5yBBuGd9XfXMlpKE0zl1i8y6bPDqe9DBYvS8j0fnZGKNURUaBV
yIPYJi1IH8V0jTYhnwUN0bTYE1IrEYU1sUSDEcq4vBmSxPxXZmY2sgcIjnEgJY8Q
d0f1tzd\/C0qPYAIpRIFj8bpgbN22uDEVbT58dh+idhg6c+tckQnGEmadPg9c9H\/m
\/QxJcc5LdMMwOmyBTSNbwykvb6GKO5TLec1PhU\/SImSXxAmtLwNWPk72tZpWEZiI
ASKal+XcCa\/SO3Fyfh+VhhbjmJIdR9wki2R+DXUcwfktOVKb4GWMDWPv6KiRL4ls
cNudvcc409JBnIJpKAojXcmzPdqWlICbrPTHihyO9Vf7tIRcgxpBaX8YgYy+lyO4
3kzUGycxUi4kqHao38ag7xNANdHQxO1VTamYDJLYCEXi62kuxno=
=7KV0
—–END PGP SIGNATURE—–<\/p>\n","protected":false},"excerpt":{"rendered":"

—–BEGIN PGP SIGNED MESSAGE—–Hash: SHA256 APPLE-SA-10-28-2024-6 watchOS 11.1 watchOS 11.1 addresses the following issues.Information about the security content is also available athttps:\/\/support.apple.com\/121565. Apple maintains a Security Releases page athttps:\/\/support.apple.com\/100100 which lists recentsoftware updates with security advisories. AccessibilityAvailable for: Apple Watch Series 6 and laterImpact: An attacker with physical access to a locked device may be …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59981","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59981","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59981"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59981\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59981"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59981"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59981"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}