The Reason Why You Need To Update To iOS 12.1.4 And Install The macOS Mojave Update RIGHT NOW Goes Beyond The FaceTime Bug

Apple yesterday released iOS 12.1.4 to fix that rather horrific FaceTime bug. I should also note that Apple also released a macOS Mojave update to do the same thing. And you should install them right now because the FaceTime bug is the least of your problems.

First of all Apple because it was caught with its pants down metaphorically speaking did a security audit to find out if there were any other issues that they should fix. After all, with the the existence of the FaceTime bug being out there, it was likely that people who look for security issues both good guys and bad guys would be looking for anything else that they could exploit. And based on the release notes of the iOS update and the macOS update, they found something. Specifically this:

Impact: A thorough security audit of the FaceTime service uncovered an issue with Live Photos 

Description: The issue was addressed with improved validation on the FaceTime server. 

CVE-2019-7288: Apple

What is the issue? Who knows. A search for the CVE that is mentioned brings up nothing that says what the issue was. But it was clearly serious enough that they had to fix it and limit the ability to capture Live Photos to updated iDevices and Macs.

The other bugs are far more serious. They were brought to the Apple’s attention by  “an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero”:

  • CVE-2019-7286 affects the Foundation framework and is a memory corruption issue that could be exploited by an app to gain elevated privileges
  • CVE-2019-7287 affects the IOKit framework and is a memory corruption flaw that could be exploited by an app to execute arbitrary code with kernel privileges.

Given the fact that some big names in Google’s Threat Analysis Group and Project Zero are involved, these two security issues are serious. And that view is backed up by this tweet:

So who is Ben Hawkes and why should you care? Ben Hawkes is the team leader at Google’s Project Zero security team, He’s in a position to know how serious this is. Thus if he’s saying that exploits were already in the wild, you should take that seriously.

Thus, my advice is that you should update your iDevices and your Macs ASAP as there are clearly some serious holes that have been exploited that Apple has fixed in these updates. And while you’re at it, you should update the Shortcuts app as well as there were a couple of security issues fixed in that app as well. After all, you can’t be too secure.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: