More than a week after the first reports of a critical vulnerability in Apple’s FaceTime messaging application surfaced, an official patch is now available.
As it turns out, however, the FaceTime flaw was one of three different zero-day issues that attackers were actively exploiting in Apple’s iOS mobile operating system. Apple released the iOS 12.1.4 update for its mobile device users on Feb. 7, patching a total of four issues, alongside the macOS Mojave 10.14.3 supplement update for Apple’s laptop and desktop users, which provides three patches.
The FaceTime flaw, formally identified as CVE-2019-6223 and informally known as “FacePalm,” enabled attackers to eavesdrop on other users’ devices, even if they didn’t pick up the call request.
“The initiator of a Group FaceTime call may be able to cause the recipient to answer,” Apple warned in its advisory. “A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management.”
Also of note with the FaceTime CVE-2019-6223 advisory is that Apple acknowledged 14-year-old teenager Grant Thompson of Catalina Foothills High School I Tucson, Ariz., as one of two original reporters for the flaw, along with Daven Morris of Arlington, Texas. Thompson discovered the issue at the end of 2018 and along with his mother repeatedly attempted to gain Apple’s attention to address the flaw. It wasn’t, however, until a media report on Jan. 28 about the flaw that Apple acknowledged there was an issue.
Google Project Zero
While a teenager was able to find a critical zero-day issue in Apple’s technology, another pair of zero-day issues were reported via Google’s Project Zero security research group.
“CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today were exploited in the wild as 0Day,” Ben Hawks, Google Project Zero lead, wrote in a Twitter message.
Neither Hawks, Google nor Apple has provided any public detail on where the exploitation of the zero-day flaws is occurring. Apple’s advisory for CVE-2018-7286 identifies the issue as being in the Foundation component in both iOS and macOS. The Foundation is a framework that provides a base layer for other protocols and application libraries for Apple’s operating system.
“An application may be able to gain elevated privileges,” Apple warned in its advisory for CVE-2019-7286.
The CVE-2019-7287 zero-day issued discovered by Google Project Zero is in the IOKit component of iOS. IOKit enables applications to gain access to hardware devices and drivers.
“An application may be able to execute arbitrary code with kernel privileges,” Apple warned in its advisory for CVE-2019-7287.
Both the CVE-2019-7286 and CVE-2019-7287 issues involve memory corruption flaws that Apple has now patched with improved input validation.
Live Photos in FaceTime
Beyond just the three zero-day flaws that were reported to Apple by different researchers, Apple itself also discovered a flaw that is being patched in both iOS and macOS that involved FaceTime.
“A thorough security audit of the FaceTime service uncovered an issue with Live Photos,” the CVE-2019-7288 advisory states. “The issue was addressed with improved validation on the FaceTime server.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.