Apple fixes Group FaceTime privacy issue with iOS 12.1.4, macOS Mojave supplemental update...
Apple has released an update to iOS bringing it up to 12.1.4, and a supplemental update to macOS Mojave with both updates re-enabling Group FaceTime by fixing a security hole that potentially allowed others to listen in to private conversations without the user's permission.
Released to iOS devices, the update targets just Group FaceTime, which was disabled shortly after the discovery of the security issue. While Apple noted on Friday it has already deployed a fix to its servers, a further update was required for the affected devices as well, one that is now being made available to users.
While the update follows on from iOS 12.1.3, the previous public version of the mobile operating system, it doesn't seem that there are any other changes made to the software, aside from the FaceTime fix.
Currently, Apple is working on betas for iOS 12.2, macOS 10.14.4, and tvOS 12.2, with the version numbers suggesting the releases will be more major than in previous updates. Outside the discovery of other security holes, it is unlikely there will be another release under the iOS 12.1 prefix.
The Group FaceTime exploit was relatively simple to perform, with the caller starting a FaceTime video call with a contact, then while the call is ringing, they added themselves to the call as a third party using their phone number. If properly executed, the Group FaceTime call commenced, with the original recipient's audio streaming before the call is accepted.
It has been suggested Apple may be preparing to provide the 14-year-old discoverer of the exploit, Grant Thompson, an award under the company's bug bounty scheme, after it became widely publicized on Twitter.
Devices not updated with Thursday's patches will not be allowed to access Group FaceTime.
Released to iOS devices, the update targets just Group FaceTime, which was disabled shortly after the discovery of the security issue. While Apple noted on Friday it has already deployed a fix to its servers, a further update was required for the affected devices as well, one that is now being made available to users.
While the update follows on from iOS 12.1.3, the previous public version of the mobile operating system, it doesn't seem that there are any other changes made to the software, aside from the FaceTime fix.
Currently, Apple is working on betas for iOS 12.2, macOS 10.14.4, and tvOS 12.2, with the version numbers suggesting the releases will be more major than in previous updates. Outside the discovery of other security holes, it is unlikely there will be another release under the iOS 12.1 prefix.
The Group FaceTime exploit was relatively simple to perform, with the caller starting a FaceTime video call with a contact, then while the call is ringing, they added themselves to the call as a third party using their phone number. If properly executed, the Group FaceTime call commenced, with the original recipient's audio streaming before the call is accepted.
It has been suggested Apple may be preparing to provide the 14-year-old discoverer of the exploit, Grant Thompson, an award under the company's bug bounty scheme, after it became widely publicized on Twitter.
Devices not updated with Thursday's patches will not be allowed to access Group FaceTime.
Comments
- IT Security Staff everywhere, release a collective sigh of relief!