Apple has finally released iOS 12.1.4 software update to patch the terrible Group FaceTime privacy bug that could have allowed an Apple user to call you via the FaceTime video chat service and hear or see you before you even pick up the call without your knowledge.The Facetime bug (CVE-2019-6223) was discovered by 14-year-old Grant Thompson of Catalina Foothills High School while he was trying to set up a Group FaceTime session with his friends.Thompson reported the bug to the company a week before it made headlines across the internet, forcing Apple to temporarily disable the group calling feature within FaceTime.
In its advisory published Thursday, Apple described the bug as “a logic issue existed in the handling of Group FaceTime calls,” that also impacted the group FaceTime calling feature on Apple’s macOS Mojave 10.14.2.Along with Thompson, Apple has also credited Daven Morris of Arlington, Texas, in its official advisory for reporting this bug.According to media reports, Apple has confirmed to “compensate” the family and help towards the teenager’s future education costs as part of its Bug Bounty program, though it is unclear how much the company is going to pay.Two More In-The-Wild Zero-Day Flaws Discovered
The iOS 12.1.4 update also patches three more security vulnerabilities, two of which were also reportedly being exploited in the wild, confirmed by Google Project Zero researchers, who discovered and reported these vulnerabilities to Apple. The last bug was also related to FaceTime.CVE-2019-7286: a memory corruption issue that could allow a malicious application to gain elevated privileges on the vulnerable Apple device.
CVE-2019-7287: a memory corruption issue that could allow a malicious application to execute arbitrary code with kernel privileges.
CVE-2019-7288: discovered by the Apple security team, this flaw is another FaceTime issue with Live Photos.