More than a week after the publication of the first reports of a critical vulnerability in Apple's FaceTime messaging application, an official patch is now available.
However, it seems that the FaceTime flaw is one of the three zero-day issues that hackers actively exploited in Apple's iOS mobile operating system. On February 7, Apple released the iOS 12.1.4 update for mobile device users, fixing four issues, as well as updating the MacOS Mojave 10.14.3 add-in for PC users. Apple desktops and desktops, which provides three fixes.
The FaceTime Fault, officially identified as CVE-2019-6223 and unofficially known as "FacePalm", allowed attackers to spy on other users' devices, even if they did not. did not respond to the call request.
"The initiator of a Group FaceTime call may be able to provoke the recipient's response," Apple warned in its notice. "There was a logic problem in dealing with FaceTime group calls, this problem was resolved with improved state management."
It should also be noted that in FaceTime CVE-2019-6223, Apple recognized Grant Thompson, a 14-year-old from Catalina Foothills I High School in Tucson, Arizona, as one of two original reporters. of the fault, with Daven Morris of Arlington, Texas. Thompson discovered the problem late 2018 and, along with his mother, has repeatedly tried to attract Apple's attention to remedy the flaw. However, it was only after a media report on the loophole published on January 28 that Apple recognized that there was a problem.
Google Project Zero
While a teenager was able to find a critical zero-day problem in Apple's technology, two other zero-day issues were reported via the Google Project Zero Security Research Group.
"CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today have been exploited in the wild like 0Day," wrote Ben Hawks, head of Google Project Zero, on Twitter. message.
Neither Hawks, nor Google, nor Apple provided any public details of the locations of day zero vulnerabilities. The Apple advisory regarding CVE-2018-7286 identifies the problem as part of the Foundation component in both iOS and macOS. Foundation is a framework that provides a base layer for other protocols and application libraries for the Apple operating system.
"An application may be able to get elevated privileges," Apple warned in its CVE-2019-7286 advisory.
The CVE-2019-7287 zero-day program published by Google Project Zero is found in the IOKit component of iOS. IOKit allows applications to access hardware devices and drivers.
"An application may be able to execute arbitrary code with kernel privileges," Apple warned in its CVE-2019-7287 advisory.
Issues CVE-2019-7286 and CVE-2019-7287 both involve memory corruption issues that Apple has corrected with improved input validation.
Live Photos in FaceTime
Beyond the three "zero-day" flaws reported to Apple by different researchers, Apple has also discovered a flaw that is corrected in iOS and macOS that implicated FaceTime.
"A thorough security audit of the FaceTime service revealed a problem with Live Photos," says CVE-2019-7288. "The problem has been solved with improved validation on the FaceTime server."
Sean Michael Kerner is Editor-in-Chief at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.