Apple Fix

Apple has released security updates for iOS and macOS that fix a severe bug in FaceTime that allowed callers to listen in, and potentially view, the people they were calling without the call being answered.

At the end of January, videos started circulating on social media about a serious bug in iOS and macOS that allowed users to initiate a Group FaceTime call and listen in on those they were calling without that person answering the call or even knowing that their microphone was activated. To make matters worse, if the person receiving the call pressed the power button to mute the ringing, their front-facing camera would turn on allowing the caller to see what was happening in the room.

As you can imagine, this bug had serious privacy ramifications and could be used by people to listen in on rooms or potentially get images of people in very private situations.

Apple stated that they would create a security update and release it the following week. While they were fixing the bug, they disabled Group FaceTime, so that the bug could not be abused.

Today, Apple has released iOS 12.1.4 and a macOS Mojave 10.14.3 Supplemental Update that fixes this FaceTime bug. According to the release notes, this bug was caused by a logic issue in how Group FaceTime calls were handled.

"A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management."

During the audit of FaceTime, Apple also discovered another bug in Live Photos that was related to FaceTime.  Details of this new bug and how it could be exploited were not disclosed by Apple.

While they were at it, Apple also slipped in two other security updates in the iOS and macOS releases for vulnerabilities they found Foundation and IOKit that could lead to code execution or privilege escalation. 

In addition to the macOS and iOS updates, Apple also released Shortcuts 2.1.3 to fix vulnerabilities found in Shortcuts for iOS.

Apple recognizes teenager who tried to report Group FaceTime Bug

Apple has also recognized Grant Thompson, the 14 year old teenager who originally discovered the Group FaceTime bug and tried to report the bug to Apple. Apple unfortunately never responded to these attempts and only paid attention when videos of the bug started circulating on social media.

Ever since it was discovered that Thompson tried to responsibly disclose the bug to Apple, many have been calling for Apple to issue him a bug bounty reward. Apple has not stated if they are planning on doing so.

How to install iOS and macOS updates

To install the iOS 12.1.4 update on iPhones or iPads, please follow these steps:

  1. Tap Settings
  2. Tap General
  3. Tap Software Update
  4. You should see a message stating that the iOS 12.1.4 update is available to install. Plug your device into a power source and click on the Download and Install button.

    iOS 12.1.4 Update

  5. Your device will now download and install the update and restart your device.
  6. When done, enter your code at the lock screen and the update will be installed.

For macOS users, the 10.14.3 update may automatically be installed. If you would like to install it immediately, or make sure its installed, you can follow these steps:

  • Click on the Apple icon in the top left of your screen.
  • Click on About this mac
  • Click on Software Update.
  • If an update is offered, install it on your computer and let it restart if necessary

You can also install macOS Mojave updates by going to System Preferences and then clicking on the Software Update icon.

Related Articles:

Apple fixes two new iOS zero-days exploited in attacks on iPhones

Ivanti warns of critical flaws in its Avalanche MDM solution

Palo Alto Networks fixes zero-day exploited to backdoor firewalls

Add Office to your Mac or Windows laptop for an extra 20% off

Microsoft April 2024 Patch Tuesday fixes 150 security flaws, 67 RCEs