Fri. Feb 22nd, 2019

Apple FaceTime Flaw Update

Apple’s iOS 12.1.4 update was recently released and works on iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

Zero-Day Attacks Exploited Flaws

The iOS update patches Foundation, a framework that Apple notes provides a base layer of functionality for apps and frameworks. By exploiting a Foundation memory corruption flaw, designated CVE-2019-7286, an application can gain elevated privileges on a device.

The update, patches IOKit, which is Apple’s library for developing kernel-resident device drivers. A memory corruption flaw, designated CVE-2019-7287, can be exploited to “execute arbitrary code with kernel privileges.

According to Ben Hawkes, the team leader at Google’s Project Zero security, says both zero-day flaws were being exploited in the wild.

Apple Fixes FacePalm

In addition, the iOS update includes a fix for FacePalm, a flaw that allowed FaceTime callers to see and hear recipients before they answered the call.

The software update fixes the security bug in Group FaceTime. Apple has apologized to their customers and thanked them for their patience.

Apple stated they would address the newly discovered FaceTime flaw via a FaceTime server fix.

In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security.

Saga of the FaceTime Flaw

Succeeding the FaceTime flaw, Apple took Group FaceTime offline, pending a fix. Once Apple began pushing the patch on Thursday, Group FaceTime was back online.

Grant Thompson, a 14-year-old from Arizona discovered The FaceTime flaw around Jan. 19 while organizing a Fortnight video game session. He and his mother attempted to contact Apple – by call, tweet and fax – to report the flaw.

Apple’s bug bounty program can reward researchers with up to hundreds of thousands of dollars in compensation.

However,  Apple didn’t pay the matter any attention until after the flaw was documented by 9to5Mac.

According to Apple they’ve learned from their mistakes and are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible.

In its Thursday security update, Apple gave a shout-out to Thompson and his high school – as well as an  a 27-year-old software developer named Daven Morris  for reporting the flaw.