Apple Update: Drop Everything and Patch iOSZero Days Being Exploited; Apple Contributes to 'FacePalm' Bug Finder's Tuition
Patch now. That's the message security experts have for all iOS users following Apple's release of a security update on Thursday.
"The Apple update is really rather important - there's not been much made of it, but the zero days it fixed were being exploited for real," Alan Woodward, a visiting professor at the University of Surrey, tells Information Security Media Group.
The update, iOS 12.1.4, works on iPhone 5s and later, iPad Air and later, and iPod touch 6th generation, Apple says.
iOS user? Update to 12.1.4 now. It has some important zero days fixed as well as that Group FaceTime flaw. The zero days were found in the wild so it's not just theoretical.— Alan Woodward (@ProfWoodward) February 8, 2019
Zero-Day Attacks Exploited Flaws
The iOS update patches Foundation, a framework that Apple notes "provides a base layer of functionality for apps and frameworks, including data storage and persistence, text processing, date and time calculations, sorting and filtering, and networking." By exploiting a Foundation memory corruption flaw, designated CVE-2019-7286, an application can gain elevated privileges on a device.
The update also patches IOKit, Apple's library for developing kernel-resident device drivers. A memory corruption flaw, designated CVE-2019-7287, can be exploited to "execute arbitrary code with kernel privileges," according to the security updates. Apple says it has added better input validation to block exploitation.
Credit for reporting both of those flaws goes to "an anonymous researcher" as well as Clement Lecigne of Google Threat Analysis Group and Google Project Zero's Ian Beer and Samuel Groß.
Ben Hawkes, the team leader at Google's Project Zero security, says both zero-day flaws were being exploited in the wild.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.— Ben Hawkes (@benhawkes) February 7, 2019
Apple Fixes FacePalm
The iOS update includes a fix for the vulnerability colloquially known as "FacePalm," a flaw that allowed FaceTime callers to see and hear recipients before they answered the call (see: Apple Rushes to Fix Serious FaceTime Eavesdropping Flaw).
"Today's software update fixes the security bug in Group FaceTime," Apple says in a statement. "We again apologize to our customers and we thank them for their patience."
Apple says it has also addressed a newly discovered FaceTime flaw via a FaceTime server fix.
"In addition to addressing the bug that was reported, our team conducted a thorough security audit of the FaceTime service and made additional updates to both the FaceTime app and server to improve security. This includes a previously unidentified vulnerability in the Live Photos feature of FaceTime," Apple says. "To protect customers who have not yet upgraded to the latest software, we have updated our servers to block the Live Photos feature of FaceTime for older versions of iOS and macOS."
Saga of the FaceTime Flaw
After the FaceTime flaw was discovered, Apple took Group FaceTime offline, pending a fix.
After Apple began pushing the patch on Thursday, Group FaceTime was back online.
The FaceTime flaw, CVE-2019-6223, was discovered by 14-year-old Grant Thompson, of Tucson, Arizona, who found the bug around Jan. 19 while organizing a Fortnight video game session. He and his mother attempted to contact Apple - by call, tweet and fax - to report the flaw.
Apple's bug bounty program can reward researchers with up to hundreds of thousands of dollars in compensation.
But Apple only appears to have paid attention after the flaw was documented by 9to5Mac.
Subsequently, Apple said it had learned its lesson from the incident (see: Apple Vows to Improve Bug Reporting After FaceTime Flaw).
"We are committed to improving the process by which we receive and escalate these reports, in order to get them to the right people as fast as possible," the company said. "We take the security of our products extremely seriously, and we are committed to continuing to earn the trust Apple customers place in us."
In its Thursday security update, Apple gave a shout-out to Thompson and his high school - as well as another researcher - for reporting the flaw:
CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX
Apple told news outlets, without offering financial specifics, that it compensated Thompson with a bug bounty for finding the flaw and gave him a gift to help cover his education expenses.
Daven Morris, also given credit in Apple's security update, reported the flaw separately from Thompson. Morris, a 27-year-old software developer, told The Wall Street Journal that he'd reported the flaw to Apple on Jan. 27, several days after the Thompsons and one day before the details of the flaw became publicly known, saying he'd discovered it about a week earlier when planning a trip with friends.