Apple finally fixes eavesdropping Group FaceTime bug via iOS 12.1.4
The FaceTime bug that dragged Apple into a lawsuit was finally patched in the latest version of iOS. Apple initially stated that it would have a patched version ready by the end of last week, but the fix took almost one more week to be released. However, Apple did deactivate the Group feature that was causing the problems last Wednesday.
With the iOS 12.1.4 version that was released on February 7 Apple also managed to fix two other security vulenrabilities: a memory corruption flaw in the IOKit that allowed apps to execute arbitrary code with kernel privileges, and another memory corruption bug in Foundation that allowed apps to gain elevated privileges. Additionally, Apple discovered a new bug triggered by the Live Photos feature in FaceTime while trying to fix the eavesdropping vulnerability. Here is Apple’s official statement:
Today’s software update fixes the security bug in Group FaceTime. We again apologize to our customers and we thank them for their patience. In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime. To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS.
Apparently, the Group feature was supposed to be added in a mid-2018 version, but Apple only introduced it in late November 2018, and even with that delay, it looks like the software was not properly tested. Moreover, Apples security infrastructure is yet again challenged with the latest bug discovered in macOS by 18-year-old Linus Henze, who claims that the operating system exposes passwords stored in the keychain to malicious apps. Apple has not yet release any statement regarding this issue.