Apple patches FaceTime flaw, and two exploited zero-days in new security update

Written by

An Apple security update released Thursday includes fixes for three vulnerabilities hackers already have exploited, leaving customers who fail to download the new software unprotected from known threats.

The security patch, iOS 12.1.4, squashes the widely-publicized FaceTime bug that allowed attackers to spy on others via audio and video. It also fixes two zero-day vulnerabilities that Ben Hawkes, a researcher on Google’s Project Zero security team, said had been exploited before the update was issued. The bugs, dubbed CVE-2019-7286 and CVE-2019-7287, would have allowed attackers to gain elevated privileges, and execute arbitrary code with kernel privileges, respectively.

Few details were immediately available about how and when those bugs were exploited, though prominent experts are encouraging users to update their phone as soon as possible. Users should visit the “Settings” page on their iPhone, then follow “General” to “Software Update.” Click “Download and Install.”

The update comes one week after New York Governor Andrew Cuomo and Attorney General Letitia James announced the state would investigate Apple’s handling of the FaceTime flaw. The software issue allowed iPhone users to see and listen to others before the recipient answered the video call.

A 14-year-old boy from Arizona first found the problem while chatting with friends while playing the video game “Fortnite.” The boy’s mother spent roughly a week trying to notify Apple about the issue, with little feedback.

The company now says it will compensate the family for an undisclosed amount for reporting the issue.