Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

Discussion in ' News Discussion' started by MacRumors, Feb 7, 2019.

  1. az431 macrumors 6502a


    Sep 13, 2008
    Portland, OR
    You must have inside information that hasn't been made public, because every article I've read states that his mother was the one who contacted Apple and persisted. In fact, then kid himself states his mother was the one who made the contact and continued to pester Apple.

    “You can swipe up and add another person, so I added another friend of mine, Diego, to see if he also wanted to play,” he said. “But as soon as I added Diego, it forced Nathan to respond.”
    His mother, Michele Thompson, said she started trying to reach Apple the next day.
    “Every day he would ask me, ‘Did we hear from Apple yet?’ she said.

    “My mom contacted them almost every single day through email, calling, faxing.” Of the fax, he jokes, “I’m not even sure what that is. It’s probably older than I am.”

    --- Post Merged, Feb 7, 2019 ---
    because he accidentally stumbled into a bug?
  2. CrystalQuest76 Suspended

    Dec 14, 2015
    West Cost A Lot
    His discovery really does not make him a security expert. More likely he could get a good job in Quality Control and Testing (which typically does not pay nearly as much).
  3. omihek macrumors 6502


    May 3, 2014
    Salt Lake City, UT
    What about past bug reports? Are those being redistributed to the right people too or do we all just need to resubmit all the bugs that have gone unfixed for years?
  4. Baymowe335 macrumors 68040

    Oct 6, 2017
  5. apolloa, Feb 7, 2019
    Last edited: Feb 7, 2019

    apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    Cool, so it only took 9to5mac picking up the story of the biggest security hole Apple has ever had in iOS, and over a week for Apple to bother to fix it.
    Seeing as they totally ignored repeated reports of the holes by that guys mother, repeated reports...

    Thank God for 9to5mac is all I say, or similar websites as without them the bug wouldn’t have been fixed for who knows how long, IMO Apple deserves to be hammered over this one because the ramifications of this security flaw are huge!

    Apples behaviour in this is despicable, the same arrogance as shown with the lies about its batteries for over a year. They promote all this security BS yet are far from secure, and like to ignore repeated bug reports..

    Did they give the guy and his mother their top reward of 200,000 dollars for identifying the biggest security flaw / hole in iOS ever? Or have they brushed them off with a minimum payment and saving the rest to put towards all the law suites that will follow this ignorance they’ve shown towards security?
    --- Post Merged, Feb 7, 2019 ---
    It took them a week after 9to5mac blew the story up on the net.. I.e. only when it was a news story that would damage Apples reputation did they do something about it, meanwhile the biggest security hole in iOS ever could have allowed countless spying activities.
  6. tobybrut macrumors newbie

    Sep 10, 2010
    No, as a software engineer myself, there’s not a company in the world that will let customers directly contact engineers, except in extreme cases where the engineers request the contact. Usually that’s only if they cannot replicate the problem or if there’s something unique about the environment where the bug happened. If companies allowed it, engineers would never get anything done. It’s the job of their managers to protect them from things that distract them from their work.

    Apparently, as with most large companies, there’s a problem with customer support communicating with the people necessary to get the ball rolling on fixes. Apple needs to fix that process. I don’t know if it was a matter of failure to communicate or a failure to prioritize. With something like this, I suspect the former.
  7. calzon65 macrumors 6502a


    Jul 16, 2008
    Apple should also apologize to Grant Thompson and his mother for ignoring them for so long.
  8. LaraCroft835 macrumors member


    Apr 22, 2014
    Adelaide, Australia
    he picked it up and has a scholarship, you both just troll the web so who is the silly one now
    --- Post Merged, Feb 7, 2019 ---
    you clearly cant read an article
    --- Post Merged, Feb 7, 2019 ---
    tin hat conspiracy
  9. alpi123 macrumors 6502a


    Jun 18, 2014
    I love how people claim it took Apple a week to fix it.
    You realise they have people that keep an eye on every Apple article 24/7 right? When they wrote about the bug, Apple knew about it immediately and the first thing they did was take down the servers so they don't waste time and get more people affected by the bug. They took their time to fix it and possibly not happen again.
  10. apolloa macrumors G4

    Oct 21, 2008
    Time, because it rules EVERYTHING!
    No actual fact. Fact Apple ignored the boy and his mother’s repeated attempts to report the flaw, and let’s not forget even after it hit the media storm Apple did NOT disable the FaceTime servers immediately, just told people to turn FaceTime off, unless the media reports were wrong.
  11. pat500000 macrumors G3


    Jun 3, 2015
    Meow?! Already read. Y u mad bro?!
  12. supercoolmanchu macrumors regular


    Mar 5, 2012
    Sure, he won’t have any trouble finding work, just as long as his Mom is there to whine him into a job.
  13. Colonel Blimp, Feb 7, 2019
    Last edited: Feb 7, 2019

    Colonel Blimp macrumors member

    Colonel Blimp

    Dec 1, 2016
    Sure, Apple “like to ignore repeated bug reports” [emphasis added]!

    Doubtless, you cleverly took advantage of this widely-reported vulnerability and turned the tables on the FaceTime developers. You have secretly-recorded video of them laughing maniacally at secretly-recorded video of MacRumors readers getting steamed up in the forums about this very issue!

    Get a grip.
  14. WannaGoMac macrumors 68020


    Feb 11, 2007
    What Live photos issue? Is there a link to its description?
  15. C DM macrumors Sandy Bridge

    Oct 17, 2011
    Curious, just like when it comes to many/most updates that address various security issues here and there, along with various bugs, how do we know that iOS 12.1.4 with the same fixes might not have been released this week even if there wasn't widespread public exposure of the bug?
  16. tobybrut macrumors newbie

    Sep 10, 2010
    We really don't know anything for sure. Only people who are privy to Apple's support process would know what happened. Everything else is a guess. When people say Apple is ignoring people, we don't know that either. They probably receive tens of thousands of emails, phone messages, and bug reports every day. They have an entire support staff dedicated to going through all of those to filter out what's real and what's not real. We have no idea how long that takes. It's not like Apple's just sitting there doing nothing and ignores people all the time. With the volume of bug reports they get, it probably takes quite a long time to figure out what bug reports are high priority since most bugs reported are considered low priority and probably never get a response back. I doubt even a company with the resources of Apple has enough people to respond to everyone. Once a bug is prioritized by support, it probably then gets entered into bug tracking software.

    Generally engineering managers look at bugs reported once a weekday and then prioritize which ones look like they have to be fixed immediately. Once prioritized, the bug fixes are then assigned to one or more QA engineers to diagnose and replicate. Depending on how complex that it, we have no idea how long that could take. Once QA confirms a problem, that's when engineers are assigned to fix it, assuming what QA finds is a critical issue. Keep in mind an email may sound horribly serious and world-ending, but the problem may end up being minor or might turn out to not be anything like what was described, and might even be a case of user error. Apple can't know that until they investigate the problem. Everything can't be top priority or nothing would ever get done. Something like this did turn out to be quite serious, but there's no way for Apple to know this right away.

    Meanwhile, support is in charge of contacting people. They have to wait until Engineering responds before they can do anything. The problem with these types of issues is that when the press picks it up, it immediately takes the tone of a crisis. Why didn't Apple respond last week, before the bug was reported! Why wasn't it fixed yesterday? In the normal course of bug reporting, it could take weeks before anyone even notices it, depending on how many people are assigned to look into customer communications. That it took Apple a week to respond is actually pretty good for a large organization.

    I once belonged to a large Fortune 100 company working as a software engineer. A week turnaround is actually not bad, considering how many people something like this has to go through. Generally a large important customer can push things forward faster, potentially getting bug fixes within a couple of days, but even then that could only happen if a bug drastically affects their business because there are always critical bugs to fix, most of them never known by any customer. But if a bug just comes from email or phone, it could take a great deal of time to separate real from phony. A company that large which gets so many reports daily can take a long time to respond.

    Maybe all Apple needs to do is to respond with an automated email to say they got the report instead of taking a black eye by saying nothing. But when it comes to normal reports through normal channels, things take time. And depending on the bug and the progress they are making into replicating the issue, no response is probably normal. What if the bug reported had turned out to be very minor and the email had dramatically overblown the seriousness of the issue? Apple's not going to take a gigantic PR hit by shutting down all of FaceTime for something that might have turned out to be nothing serious. They were probably in the midst of examining the problem when it went public. The press, meanwhile, has a responsibility to contact Apple and get their side of the story before they make something like this public. What was Apple doing at the time? Did they replicate it? Was it really as serious as it looked?
  17. MEJHarrison macrumors 65816

    Feb 2, 2009
    That's exactly right. If customers knew how to contact me directly, rather than following proper channels and going to the help desk, I'd get bugged constantly from people. I was even told NOT to give my number out to people because next time there's an issue, they'll ignore the process and go directly to the person that made things better last time. It's just human nature.

    Still, I love reading about how to run a software company from people who can barely define the word software. It's what keeps me coming back here. Free entertainment!
  18. Colonel Blimp macrumors member

    Colonel Blimp

    Dec 1, 2016
    I’d be very surprised if bugs that have gone unfixed for years will get any fresh attention without renewed advocacy. Resubmit them, and get anyone else you think might care to report them as well. The more users who complain about a bug, the more likely it is to get squashed.
  19. tobybrut macrumors newbie

    Sep 10, 2010
    Bingo. As someone with 25 years as a software engineer, I can guarantee there are bugs that languish for years in the bug tracking software marked as low priority. Engineers will joke about these as things that will never get fixed. The only way a low priority bug will ever get escalated is if it becomes commonplace. Most engineering managers and technical leads will never look at low priority bugs again, filtering reports only for critical and high bugs. If, for some unlikely reason, there are no critical or high bugs, then medium ones may get looked at again (not that likely). But for a company the size of Apple with the complexity of iOS/macOS/etc, I can guarantee low priority bugs will never see the light of day.
  20. btrach144 macrumors 65816


    Aug 28, 2015
    To be fair, she did discover one of the biggest iOS security bugs ever.
  21. audiophilosophy macrumors member

    Sep 13, 2017
    New Orleans
  22. I7guy macrumors P6


    Nov 30, 2013
    Gotta be in it to win it
    Conjecture, because you don't know what went on behind the scenes. Apple could have been readying a bug fix as the kid was the second person (according to MR) to contact Apple. It just so happens the timing was a coincidence.
    --- Post Merged, Feb 7, 2019 ---
    Definitely not the biggest as the remediation is if your phone rings and you go to the screen, you can see what is going on. I tried it with two phones in my house.

    The biggest bugs are some of the zero day vulnerabilities such as the wifi and bluetooth vulnerabilities, for example, that were fixed in ios 10 that could just take over your phone without any recourse.
  23. theapplehead macrumors member


    Dec 17, 2018
    Anyone know anything about this information regarding Google released by Apple Insider? Let me know if this is new information or not
  24. urnotl33t macrumors member


    Jan 26, 2017
    Holly Springs, NC, USA
    No no no.. I talk to the customers, and then tell that to the engineers!
  25. 69Mustang, Feb 7, 2019
    Last edited: Feb 7, 2019

    69Mustang macrumors 603


    Jan 7, 2014
    In between a rock and a hard place
    Good thing they fixed the Live Photos bug, Foundation bug and the IOKit bug. The last two were actually exploited in the wild. Google Project Zero actually found both. But at least they're not another high school kid. :p:D Probably should have been credited in the MR article.
    CVE-2019-7286 and CVE-2019-7287

Share This Page