Using Apple Watch? CERT-in warns of major security flaw

If you own an Apple smartwatch with watch OS versions prior to 8.7, you need to update it or hackers could bypass security on your device and steal all crucial data, including health and fitness and geo-location data, etc.

These instructions with a 'high' severity rating come from the Indian Computer Emergency Response Team (CERT-In), the nodal cyber security agency under the Ministry of Electronics and Information Technology (Meity).

The CERT-In says any hacker could exploit these vulnerabilities from a remote place by sending a specially-crafted request.

"Successful exploitation of these vulnerabilities could allow the attacker to execute arbitrary code and bypass security restrictions on the targeted system," says the agency.

The government agency has issued an advisory to Apple watch users, saying it contains "multiple vulnerabilities". The reason cited for these vulnerabilities are "buffer overflow in AppleAVD component; an authorisation issue in AppleMobile File Integrity component; out-of-bounds write in audio, ICU and WebKit component; type confusion in multi-touch component; multiple out-of-bounds write and memory corruption in GPU drivers component; out-of-bounds read in Kernel component; and memory initialisation in libxml2 component".

How to address issue

Apple issued a patch on these tech vulnerabilities on July 20 last week, asking users to apply its latest update WatchOS 8.7 to fix these security issues. The company says the Apple AVD component issue, which was also highlighted by CERT-in, is a buffer overflow problem that was addressed with improved bounds checking. It was first discovered by Google Project Zero researcher Natalie Silvanovich. It said the security vulnerability affected Apple Watch Series 3 and later.

Apple also cited a number of other vulnerabilities on its system, which have been fixed.

"For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available," it says. Recent releases are also listed on the Apple security updates page.

Notably, tech majors like Google, Microsoft and Apple keep on bringing newer updates to their operating systems to keep their devices safe and secure.

Similarly, CERT-in has also issued a "high" severity warning for Microsoft Edge users of versions prior to 103.0.0.1264.71, saying there are "multiple vulnerabilities" in it, putting user data at risk.

"Multiple vulnerabilities have been reported in Microsoft Edge, which could allow a remote attacker to bypass security restrictions and to execute arbitrary code or cause a denial-of-service (DoS) condition on the targetted system," says the government agency.

As per CERT-in, these vulnerabilities exist in “Chromium Open-Source Software (OSS), which is consumed by Microsoft Edge due to use after free in Guest View, use after free in PDF, use after free in service worker API, use after free in views and insufficient validation of untrusted input in File”.

A remote attacker could exploit these vulnerabilities and allow the attacker to bypass security restrictions and execute arbitrary code or cause a denial-of-service (DoS) condition on the targetted system, it adds.