Apple

Apple patches Group FaceTime, Shortcuts vulnerabilities

Posted on by

Last week Apple was hit by a serious and embarrassing bug affecting Group FaceTime. Shortly after the bug became public knowledge, Apple announced that a future software update would fix the issue, and that Group FaceTime would not be re-enabled on Macs and iOS devices until users installed the forthcoming update. At long last, software updates arrived on Thursday this week, and Apple has restored Group FaceTime calling.

Apple’s System Status page shows that Group FaceTime is back.

Listed for both macOS and iOS as an update that “provides security updates and is recommended for all users,” Apple gave minimal details about how the issue was fixed behind the scenes. Here’s what Apple did say:

iOS 12.1.4 and macOS Mojave 10.14.3 Supplemental Update

FaceTime
Available for: iPhone 5s and later, iPad Air and later, iPod touch 6th generation and macOS Mojave 10.14.3
Impact: The initiator of a Group FaceTime call may be able to cause the recipient to answer
Description: A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management.

 

Foundation
Available for: iPhone 5s and later, iPad Air and later, iPod touch 6th generation and macOS Mojave 10.14.3
Impact: An application may be able to gain elevated privileges
Description: A memory corruption issue was addressed with improved input validation.

 

IOKit
Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Impact: An application may be able to execute arbitrary code with kernel privileges
Description: A memory corruption issue was addressed with improved input validation.

 

Live Photos in FaceTime
Available for: iPhone 5s and later, iPad Air and later, iPod touch 6th generation and macOS Mojave 10.14.3
Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos 
Description: The issue was addressed with improved validation on the FaceTime server.

The Foundation and IOKit fixes seems to be unrelated to the FaceTime bugs.

What stands out more than the expected Group FaceTime patch is the fix for FaceTime Live Photos. Apple does not go in to detail and remains rather vague about it, so this can be interpreted in a number of ways.

Live Photos in FaceTime allows you to take a photo of the call and just like a Live Photo taken with your Camera app, you get a five-second moving photo. An issue with this feature may mean that even though one of the participants on a call had that feature blocked (all participants need to have this feature enabled for it to work), maybe there was a way to take such a photo anyway. Or perhaps during Apple’s “thorough security audit of the FaceTime service” (perhaps initiated after the Group FaceTime spying bug came to light), Apple may have simply found an entirely different FaceTime bug that was unrelated to the spying bug.

In my testing so far, I have found that this update may cause issues with display orientation while on a call. The other participants of a Group FaceTime call will see me sideways and I have to leave the call and rejoin it for the issue to be addressed. I’d rather deal with this issue until the next update comes out than leave a major security hole wide open, though! If you experience similar issues, please leave a comment and let us know.

The full list of security fixes in iOS 12.1.4 can be found here. iOS users can update by going to Settings > General > Software Update on their devices, or by connecting the device to their computer where iTunes can download and install the update.

The full list of security fixes in the macOS Mojave 10.14.3 Supplemental Update can be found here. Mojave users should visit the Software Update pane in System Preferences (Apple menuSystem Preferences > Software Update) to grab the latest update.

Whether you’re using iOS or macOS, always back up your data prior to installing any updates. This gives you a restore point in case something does not go as planned.

Perhaps Apple will make new features available to the public through its beta program going forward. Group FaceTime was never publicly available in any of the beta versions; it’s possible that this bug might have been discovered and patched in time if it had been.

Shortcuts 2.1.3 for iOS

Apple also updated the Shortcuts app for iOS 12, apparently addressing the Shortcuts security issues that we detailed last week.

If you’ve installed Apple’s Shortcuts app (which doesn’t come preinstalled with iOS 12), check the App Store and make sure your Shortcuts app has been updated to the version 2.1.3.

How can I learn more?

Intego’s podcast hosts discussed the FaceTime bug and the safety of the Shortcuts app on the two most recent editions of the Intego Mac Podcast, so be sure to subscribe to make sure you don’t miss the episodes. You’ll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.

About Jay Vrijenhoek

Jay Vrijenhoek is an IT consultant with a passion for Mac security research. View all posts by Jay Vrijenhoek →