nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

Apple patches FREAK-ed out Watch

Cupertino slings patches to kill twin data execution bugs

By Darren Pauli, 20 May 2015

Apple has patched a dozen security flaws in Watch, including FREAK and two allowing arbitrary code execution.

The updates cover Oracle hacker Marc Schoenefeld's arbitrary code execution which triggers (CVE-2015-1093) when the Apple Watch processes a maliciously crafted font file.

It also squashes hacker Loki@ART's bug that grants malicious apps the ability to execute arbitrary code with system privileges via a kernel memory corruption issue (CVE-2015-1101).

Apple closes the twin memory corruption flaws with better bounds checking and memory handling.

Cupertino's first Watch patch run also axes the FREAK (Factoring RSA Export Keys) bug revealed March which allows privileged attackers (CVE-2015-1067) to steal SSL and TLS connections thanks to the acceptance of weak RSA keys.

That is fixed by removing support for the shoddy keys originally developed for the export market.

Cupertino also fixes flaws that allowed malicious network admins or snoops to redirect users to attack sites (CVE-2015-1103), and denial of service (CVE-2015-1099, CVE-2015-1105, CVE-2015-1102).

It further updates the certificate trust policies and has published a list of certificates. ®

The Register - Independent news and views for the tech community. Part of Situation Publishing