Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Feb 7, 2019.

  1. MacRumors macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Following the release of iOS 12.1.4, Apple today issued an apology to customers and said that it had found and fixed the Group FaceTime bug and an additional security vulnerability involving Live Photos in the FaceTime app.


    From a statement provided to MacRumors:
    Going forward, Apple says that the Live Photos feature will not be available in FaceTime on older versions of iOS and macOS. Capturing a Live Photo will require iOS 12.1.4 or the new version of macOS 10.14.3. Apple is also restricting Group FaceTime from devices running earlier versions of iOS.

    Apple in a security document released this morning outlines the specific fixes that were implemented in iOS 12.1.4 and the macOS 10.14.3 supplemental update.

    Apple fixed a logic issue that existed in the handling of Group FaceTime calls with improved state management, and the Group FaceTime testing led to the discovery of the Live Photos issue. Apple says that the Live Photos bug was fixed with "improved validation on the FaceTime server."

    Additional Foundation and IOKit bugs were fixed in iOS as well, addressing memory corruption issues that could lead to elevated privileges for applications.

    Apple lists Grant Thompson of Catalina Foothills High School as one of the people who discovered the FaceTime bug. Thompson and his mother made multiple attempts to get into contact with Apple to inform the company of the bug well ahead of when it went public. Daven Morris of Arlington, TX is also listed as a person who discovered the vulnerability and reported it to Apple.

    Apple has apologized for missing those messages and has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people. Apple will be compensating the Thompson family for finding and reporting the bug, and Apple will be providing an additional scholarship to be put towards Thompson's education.

    Article Link: Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education
     
  2. whooleytoo macrumors 604

    whooleytoo

    Joined:
    Aug 2, 2002
    Location:
    Cork, Ireland.
    #2
    Sounds good. But I hope it's not just a reactive bounty, but they're also looking at bounty programmes going forward.

    Apple really needs to 'double down' on security. These are not minor glitches.
     
  3. motm95 macrumors regular

    Joined:
    Aug 19, 2010
    #3
    As much as I get annoyed at Apple these days for various things, and even though it is extremely concerning that Apple let a bug this serious slip through in the first place, I have to say overall Apple is pretty darn responsive at addressing security problems and releasing updates. I am also very glad that iPhone users don't have to rely on wireless carriers to get these security fixes.
     
  4. CWallace macrumors 603

    CWallace

    Joined:
    Aug 17, 2007
    Location:
    Seattle, WA
    #4
    Apple has an established "bug bounty" program for iOS, but not macOS. That might be changing, however, based on the macOS Keychain vulnerability that the founder had stated he would not share with Apple due to the lack of such a bounty program.
     
  5. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #5
    Getting an official credit like this is huge. If this young man decides to go into security he could get into some very lucrative work in short order. Congratulations to you and your family.
     
  6. Mabsport macrumors newbie

    Mabsport

    Joined:
    Aug 18, 2014
    Location:
    United Kingdom
    #6
    Hope the kid gets paid well for identifying this bug. Love Apple for the fast response and security update to all phones. Something Samsung are not very good at on my Note 9. Wait for ever to get any type of software push. Its painful to be honest.
     
  7. asiga macrumors 6502a

    Joined:
    Nov 4, 2012
    #7
    ...oh no, they didn’t clear the Beats stock yet... I guess this means another year with eBay plenty of sealed brand new Beats headphones...
     
  8. AngerDanger macrumors 68040

    AngerDanger

    Joined:
    Dec 9, 2008
    #8
    I’d love to get paid for accidentally calling myself over Group FaceTime.
     
  9. alirz macrumors regular

    Joined:
    Sep 28, 2011
    Location:
    Montreal,Canada
    #9
    $50 gift card for them i bet and a 10% discount on a new Mac pro.
     
  10. waquzy macrumors 6502a

    waquzy

    Joined:
    Sep 9, 2013
    Location:
    Leicestershire, UK
    #10
    That's why Samsung's phones will never match the harmony of the iPhone, the only phone that can do that would be the Pixel, as Google develops both the hardware and software, same as Apple. Therefor fast day 1 updates are guaranteed, unlike with Samsung, it will never be the case... unless Samsung comes up with its own software
     
  11. Attirex macrumors 6502

    Joined:
    Apr 8, 2015
    #11
    CUT TO:

    Grant's mom "making it rain" on Instagram with a pile of bills while "living the best life."
     
  12. Andres Cantu macrumors 68030

    Andres Cantu

    Joined:
    May 31, 2015
    Location:
    Rio Grande Valley in South Texas
    #12
    I had a feeling a scholarship was coming. That’s the right call for Apple, and for the kid’s future.
     
  13. lostczech macrumors member

    lostczech

    Joined:
    Sep 8, 2009
    #13
    You mean new-old stock 2013 Mac Pro right? ;)
     
  14. I7guy macrumors P6

    I7guy

    Joined:
    Nov 30, 2013
    Location:
    Gotta be in it to win it
    #14
    So Dave Morris discovered the bug and grant Thompson was afterwards?
     
  15. macfacts macrumors 68030

    macfacts

    Joined:
    Oct 7, 2012
    Location:
    Cybertron
    #15
    Apple needs more "people persons" to get the bug reports from users to the engineers.
     
  16. jtara macrumors 68000

    Joined:
    Mar 23, 2009
    #16
    There's no great white-hat hacking or technical knowledge at play here. The kid was observant, and realized it wasn't right. (Not to denigrate any technical expertise or talent that he does have - I have no knowledge.)

    He did more than just accidentally called himself over group Facetime. He followed-through and persisted when adults basically told him "go away, kid, ya bother me!"

    That persistence is a great trait, no matter WHAT profession he chooses.
     
  17. Stygma macrumors member

    Stygma

    Joined:
    Jan 24, 2018
    #17
    But can't the customers just take the bug reports directly to the engineers???
     
  18. Doctor Q Administrator

    Doctor Q

    Staff Member

    Joined:
    Sep 19, 2002
    Location:
    Los Angeles
    #18
    I'm glad they found and fixed the Live Photos bug while fixing this one, and they didn't need another high school kid to find that one.
     
  19. jazz1 macrumors 68000

    jazz1

    Joined:
    Aug 19, 2002
    Location:
    Mid-West USA
    #19
    Aw, come on. Let the kid win the Apple Security Lottery ;) I'm pushing all the software buttons on my iPhone from now on ;)
     
  20. killawat macrumors 65816

    Joined:
    Sep 11, 2014
    #20
    Yep, that’s exactly why he won’t have any problem finding work in the future. While 1337 hackers are in the weeds spending months looking for those juicy kernel exploits, vulnerabilities like this hide in plain sight. If it were a CVE it would be Probably an 8 to a 10 (highest). Why? It’s dead simple to pull off. Don’t focus solely on the technical aspect. Look at the impact as well.
     
  21. WatchFromAfar macrumors 65816

    WatchFromAfar

    Joined:
    Jan 26, 2017
    #21
    I'm sorry, but how on earth was the group FaceTime bug a "fast day 1 update"? It took them a week to acknowledge it and it was in the wild for three months.
     
  22. waquzy macrumors 6502a

    waquzy

    Joined:
    Sep 9, 2013
    Location:
    Leicestershire, UK
    #22
    I meant regarding with new software releases, the bug fixes etc do take a bit longer than a day indeed, but even then Apple is on it like a rash.
     
  23. Berti10 macrumors regular

    Berti10

    Joined:
    Jan 24, 2012
    #23
    Yey... and what about the Bug, that iCloud Photo Library DELETES MY PHOTOS, that I reported in Oktober 2017!! :mad::mad::mad::mad::mad::mad::mad::mad::mad::mad::mad:

    If you are interested: This Bug occurred ever since I have my iPhone 8 Plus. When I edit a Photo in VSCO or Instagram and save the edited file to my Library, iCloud thinks its a duplicate and deletes it. Portrait Mode Photos are not affected and Photos from SLR are no problem as well. Even if I edit them on my iPad and try to save them. I don't know what's going on and Apple does no respond! :mad::mad::mad:
     
  24. alpi123 macrumors 6502a

    alpi123

    Joined:
    Jun 18, 2014
    #24
    Nah, actually the minimum reward he can get was said to be $25,000 all the way up to $100,000? Idk, something along those lines. It's certainly a huge amount.
    --- Post Merged, Feb 7, 2019 ---
    As said, he meant updates in general. Samsung for example, whenever a new Android version comes up, they have to modify it for their phones which takes months.
     
  25. pat500000 Suspended

    pat500000

    Joined:
    Jun 3, 2015
    #25
    Had to throw money at people, right apple? You’re paying them with cash or check, right? Not itune gift card, right?
     

Share This Page