Latest iOS 12.1.4 Update Patches 2 Zero-Day and FaceTime Bugs


Apple has finally released iOS 12.1.4 software update to patch the terrible

Group FaceTime privacy bug

that could have allowed an Apple user to call you via the FaceTime video chat service and hear or see you before you even pick up the call without your knowledge.

The Facetime bug (CVE-2019-6223) was discovered by 14-year-old Grant Thompson of Catalina Foothills High School while he was trying to set up a Group FaceTime session with his friends.

Thompson reported the bug to the company a week before it made headlines across the internet, forcing Apple to temporarily disable the group calling feature within FaceTime.

In its

advisory

published Thursday, Apple described the bug as "a logic issue existed in the handling of Group FaceTime calls," that also impacted the group FaceTime calling feature on Apple's macOS Mojave 10.14.2.

Along with Thompson, Apple has also credited Daven Morris of Arlington, Texas, in its official advisory for reporting this bug.

According to media reports, Apple has confirmed to "compensate" the family and help towards the teenager's future education costs as part of its Bug Bounty program, though it is unclear how much the company is going to pay.

Two More In-The-Wild Zero-Day Flaws Discovered

The iOS 12.1.4 update also patches three more security vulnerabilities, two of which were also reportedly being exploited in the wild,

confirmed

by Google Project Zero researchers, who discovered and reported these vulnerabilities to Apple. The last bug was also related to FaceTime.

  • CVE-2019-7286: a memory corruption issue that could allow a malicious application to gain elevated privileges on the vulnerable Apple device.
  • CVE-2019-7287: a memory corruption issue that could allow a malicious application to execute arbitrary code with kernel privileges.
  • CVE-2019-7288: discovered by the Apple security team, this flaw is another FaceTime issue with Live Photos.

If you haven't yet, you are highly recommended to update your Apple devices with iOS 12.1.4 release, which is available for the iPhone 5S, and later, iPad Air and later, and iPod touch 6th generation.

To run the update on your iPhone, iPad or iPod, just go to Settings→ General → Software Update and click the 'Download and Install' button.

If you are a Mac owner, you should also install the new macOS Mojave

10.14.3 update

on your computer that also fixes three of the four vulnerabilities briefed above, including the FaceTime issues.

To update your Mac computer, just go to Apple menu in the top left corner of your computer, select 'System Preferences,' click 'Software Update' and download the new update.



from The Hacker News http://bit.ly/2Swy6z7