Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

[az431]

There's no great white-hat hacking or technical knowledge at play here. The kid was observant, and realized it wasn't right. (Not to denigrate any technical expertise or talent that he does have - I have no knowledge.)

He did more than just accidentally called himself over group Facetime. He followed-through and persisted when adults basically told him "go away, kid, ya bother me!"

That persistence is a great trait, no matter WHAT profession he chooses.

You must have inside information that hasn't been made public, because every article I've read states that his mother was the one who contacted Apple and persisted. In fact, then kid himself states his mother was the one who made the contact and continued to pester Apple.

“You can swipe up and add another person, so I added another friend of mine, Diego, to see if he also wanted to play,” he said. “But as soon as I added Diego, it forced Nathan to respond.”
...
His mother, Michele Thompson, said she started trying to reach Apple the next day.
...
“Every day he would ask me, ‘Did we hear from Apple yet?’ she said.
...
“My mom contacted them almost every single day through email, calling, faxing.” Of the fax, he jokes, “I’m not even sure what that is. It’s probably older than I am.”
[doublepost=1549575211][/doublepost]

Getting an official credit like this is huge. If this young man decides to go into security he could get into some very lucrative work in short order. Congratulations to you and your family.

because he accidentally stumbled into a bug?

 

[CrystalQuest76]

Getting an official credit like this is huge. If this young man decides to go into security he could get into some very lucrative work in short order. Congratulations to you and your family.

His discovery really does not make him a security expert. More likely he could get a good job in Quality Control and Testing (which typically does not pay nearly as much).

 

[omihek]

Apple...has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people.

What about past bug reports? Are those being redistributed to the right people too or do we all just need to resubmit all the bugs that have gone unfixed for years?

 

[Baymowe335]

Apple is such a pimp company.

 

[apolloa]

Cool, so it only took 9to5mac picking up the story of the biggest security hole Apple has ever had in iOS, and over a week for Apple to bother to fix it.
Seeing as they totally ignored repeated reports of the holes by that guys mother, repeated reports...

Thank God for 9to5mac is all I say, or similar websites as without them the bug wouldn’t have been fixed for who knows how long, IMO Apple deserves to be hammered over this one because the ramifications of this security flaw are huge!

Apples behaviour in this is despicable, the same arrogance as shown with the lies about its batteries for over a year. They promote all this security BS yet are far from secure, and like to ignore repeated bug reports..

Did they give the guy and his mother their top reward of 200,000 dollars for identifying the biggest security flaw / hole in iOS ever? Or have they brushed them off with a minimum payment and saving the rest to put towards all the law suites that will follow this ignorance they’ve shown towards security?
[doublepost=1549577669][/doublepost]

I'm sorry, but how on earth was the group FaceTime bug a "fast day 1 update"? It took them a week to acknowledge it and it was in the wild for three months.

It took them a week after 9to5mac blew the story up on the net.. I.e. only when it was a news story that would damage Apples reputation did they do something about it, meanwhile the biggest security hole in iOS ever could have allowed countless spying activities.

http://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

 

[tobybrut]

But can't the customers just take the bug reports directly to the engineers???

No, as a software engineer myself, there’s not a company in the world that will let customers directly contact engineers, except in extreme cases where the engineers request the contact. Usually that’s only if they cannot replicate the problem or if there’s something unique about the environment where the bug happened. If companies allowed it, engineers would never get anything done. It’s the job of their managers to protect them from things that distract them from their work.

Apparently, as with most large companies, there’s a problem with customer support communicating with the people necessary to get the ball rolling on fixes. Apple needs to fix that process. I don’t know if it was a matter of failure to communicate or a failure to prioritize. With something like this, I suspect the former.

 

[calzon65]

Apple should also apologize to Grant Thompson and his mother for ignoring them for so long.

 

[LaraCroft835]

You mean new-old stock 2013 Mac Pro right?

he picked it up and has a scholarship, you both just troll the web so who is the silly one now
[doublepost=1549579835][/doublepost]

Had to throw money at people, right apple? You’re paying them with cash or check, right? Not itune gift card, right?

you clearly cant read an article
[doublepost=1549579910][/doublepost]

Cool, so it only took 9to5mac picking up the story of the biggest security hole Apple has ever had in iOS, and over a week for Apple to bother to fix it.
Seeing as they totally ignored repeated reports of the holes by that guys mother, repeated reports...

Thank God for 9to5mac is all I say, or similar websites as without them the bug wouldn’t have been fixed for who knows how long, IMO Apple deserves to be hammered over this one because the ramifications of this security flaw are huge!

Apples behaviour in this is despicable, the same arrogance as shown with the lies about its batteries for over a year. They promote all this security BS yet are far from secure, and like to ignore repeated bug reports..

Did they give the guy and his mother their top reward of 200,000 dollars for identifying the biggest security flaw / hole in iOS ever? Or have they brushed them off with a minimum payment and saving the rest to put towards all the law suites that will follow this ignorance they’ve shown towards security?
[doublepost=1549577669][/doublepost]

It took them a week after 9to5mac blew the story up on the net.. I.e. only when it was a news story that would damage Apples reputation did they do something about it, meanwhile the biggest security hole in iOS ever could have allowed countless spying activities.

http://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

tin hat conspiracy

 

[alpi123]

I love how people claim it took Apple a week to fix it.
You realise they have people that keep an eye on every Apple article 24/7 right? When they wrote about the bug, Apple knew about it immediately and the first thing they did was take down the servers so they don't waste time and get more people affected by the bug. They took their time to fix it and possibly not happen again.

 

[apolloa]

he picked it up and has a scholarship, you both just troll the web so who is the silly one now
[doublepost=1549579835][/doublepost]
you clearly cant read an article
[doublepost=1549579910][/doublepost]
tin hat conspiracy

No actual fact. Fact Apple ignored the boy and his mother’s repeated attempts to report the flaw, and let’s not forget even after it hit the media storm Apple did NOT disable the FaceTime servers immediately, just told people to turn FaceTime off, unless the media reports were wrong.

 

[pat500000]

he picked it up and has a scholarship, you both just troll the web so who is the silly one now
[doublepost=1549579835][/doublepost]
you clearly cant read an article
[doublepost=1549579910][/doublepost]
tin hat conspiracy

Meow?! Already read. Y u mad bro?!

 

[supercoolmanchu]

Yep, that’s exactly why he won’t have any problem finding work in the future. While 1337 hackers are in the weeds spending months looking for those juicy kernel exploits, vulnerabilities like this hide in plain sight. If it were a CVE it would be Probably an 8 to a 10 (highest). Why? It’s dead simple to pull off. Don’t focus solely on the technical aspect. Look at the impact as well.

Sure, he won’t have any trouble finding work, just as long as his Mom is there to whine him into a job.

 

[Colonel Blimp]

Apples behaviour in this is despicable, the same arrogance as shown with the lies about its batteries for over a year. They promote all this security BS yet are far from secure, and like to ignore repeated bug reports..

Sure, Apple “like to ignore repeated bug reports” [emphasis added]!

Doubtless, you cleverly took advantage of this widely-reported vulnerability and turned the tables on the FaceTime developers. You have secretly-recorded video of them laughing maniacally at secretly-recorded video of MacRumors readers getting steamed up in the forums about this very issue!

Get a grip.

 

[WannaGoMac]

What Live photos issue? Is there a link to its description?

 

[C DM]

Cool, so it only took 9to5mac picking up the story of the biggest security hole Apple has ever had in iOS, and over a week for Apple to bother to fix it.
Seeing as they totally ignored repeated reports of the holes by that guys mother, repeated reports...

Thank God for 9to5mac is all I say, or similar websites as without them the bug wouldn’t have been fixed for who knows how long, IMO Apple deserves to be hammered over this one because the ramifications of this security flaw are huge!

Apples behaviour in this is despicable, the same arrogance as shown with the lies about its batteries for over a year. They promote all this security BS yet are far from secure, and like to ignore repeated bug reports..

Did they give the guy and his mother their top reward of 200,000 dollars for identifying the biggest security flaw / hole in iOS ever? Or have they brushed them off with a minimum payment and saving the rest to put towards all the law suites that will follow this ignorance they’ve shown towards security?
[doublepost=1549577669][/doublepost]

It took them a week after 9to5mac blew the story up on the net.. I.e. only when it was a news story that would damage Apples reputation did they do something about it, meanwhile the biggest security hole in iOS ever could have allowed countless spying activities.

http://9to5mac.com/2019/01/28/facetime-bug-hear-audio/

Curious, just like when it comes to many/most updates that address various security issues here and there, along with various bugs, how do we know that iOS 12.1.4 with the same fixes might not have been released this week even if there wasn't widespread public exposure of the bug?

 

[tobybrut]

Curious, just like when it comes to many/most updates that address various security issues here and there, along with various bugs, how do we know that iOS 12.1.4 with the same fixes might not have been released this week even if there wasn't widespread public exposure of the bug?

We really don't know anything for sure. Only people who are privy to Apple's support process would know what happened. Everything else is a guess. When people say Apple is ignoring people, we don't know that either. They probably receive tens of thousands of emails, phone messages, and bug reports every day. They have an entire support staff dedicated to going through all of those to filter out what's real and what's not real. We have no idea how long that takes. It's not like Apple's just sitting there doing nothing and ignores people all the time. With the volume of bug reports they get, it probably takes quite a long time to figure out what bug reports are high priority since most bugs reported are considered low priority and probably never get a response back. I doubt even a company with the resources of Apple has enough people to respond to everyone. Once a bug is prioritized by support, it probably then gets entered into bug tracking software.

Generally engineering managers look at bugs reported once a weekday and then prioritize which ones look like they have to be fixed immediately. Once prioritized, the bug fixes are then assigned to one or more QA engineers to diagnose and replicate. Depending on how complex that it, we have no idea how long that could take. Once QA confirms a problem, that's when engineers are assigned to fix it, assuming what QA finds is a critical issue. Keep in mind an email may sound horribly serious and world-ending, but the problem may end up being minor or might turn out to not be anything like what was described, and might even be a case of user error. Apple can't know that until they investigate the problem. Everything can't be top priority or nothing would ever get done. Something like this did turn out to be quite serious, but there's no way for Apple to know this right away.

Meanwhile, support is in charge of contacting people. They have to wait until Engineering responds before they can do anything. The problem with these types of issues is that when the press picks it up, it immediately takes the tone of a crisis. Why didn't Apple respond last week, before the bug was reported! Why wasn't it fixed yesterday? In the normal course of bug reporting, it could take weeks before anyone even notices it, depending on how many people are assigned to look into customer communications. That it took Apple a week to respond is actually pretty good for a large organization.

I once belonged to a large Fortune 100 company working as a software engineer. A week turnaround is actually not bad, considering how many people something like this has to go through. Generally a large important customer can push things forward faster, potentially getting bug fixes within a couple of days, but even then that could only happen if a bug drastically affects their business because there are always critical bugs to fix, most of them never known by any customer. But if a bug just comes from email or phone, it could take a great deal of time to separate real from phony. A company that large which gets so many reports daily can take a long time to respond.

Maybe all Apple needs to do is to respond with an automated email to say they got the report instead of taking a black eye by saying nothing. But when it comes to normal reports through normal channels, things take time. And depending on the bug and the progress they are making into replicating the issue, no response is probably normal. What if the bug reported had turned out to be very minor and the email had dramatically overblown the seriousness of the issue? Apple's not going to take a gigantic PR hit by shutting down all of FaceTime for something that might have turned out to be nothing serious. They were probably in the midst of examining the problem when it went public. The press, meanwhile, has a responsibility to contact Apple and get their side of the story before they make something like this public. What was Apple doing at the time? Did they replicate it? Was it really as serious as it looked?

 

[MEJHarrison]

No, as a software engineer myself, there’s not a company in the world that will let customers directly contact engineers, except in extreme cases where the engineers request the contact. Usually that’s only if they cannot replicate the problem or if there’s something unique about the environment where the bug happened. If companies allowed it, engineers would never get anything done. It’s the job of their managers to protect them from things that distract them from their work.

That's exactly right. If customers knew how to contact me directly, rather than following proper channels and going to the help desk, I'd get bugged constantly from people. I was even told NOT to give my number out to people because next time there's an issue, they'll ignore the process and go directly to the person that made things better last time. It's just human nature.

Still, I love reading about how to run a software company from people who can barely define the word software. It's what keeps me coming back here. Free entertainment!

 

[Colonel Blimp]

What about past bug reports? Are those being redistributed to the right people too or do we all just need to resubmit all the bugs that have gone unfixed for years?

I’d be very surprised if bugs that have gone unfixed for years will get any fresh attention without renewed advocacy. Resubmit them, and get anyone else you think might care to report them as well. The more users who complain about a bug, the more likely it is to get squashed.

 

[tobybrut]

I’d be very surprised if bugs that have gone unfixed for years will get any fresh attention without renewed advocacy. Resubmit them, and get anyone else you think might care to report them as well. The more users who complain about a bug, the more likely it is to get squashed.

Bingo. As someone with 25 years as a software engineer, I can guarantee there are bugs that languish for years in the bug tracking software marked as low priority. Engineers will joke about these as things that will never get fixed. The only way a low priority bug will ever get escalated is if it becomes commonplace. Most engineering managers and technical leads will never look at low priority bugs again, filtering reports only for critical and high bugs. If, for some unlikely reason, there are no critical or high bugs, then medium ones may get looked at again (not that likely). But for a company the size of Apple with the complexity of iOS/macOS/etc, I can guarantee low priority bugs will never see the light of day.

 

[btrach144]

I’d love to get paid for accidentally calling myself over Group FaceTime.

To be fair, she did discover one of the biggest iOS security bugs ever.

 

[audiophilosophy]

Glad Apple's paying a bounty for the find.

 

[I7guy]

No actual fact. Fact Apple ignored the boy and his mother’s repeated attempts to report the flaw, and let’s not forget even after it hit the media storm Apple did NOT disable the FaceTime servers immediately, just told people to turn FaceTime off, unless the media reports were wrong.

Conjecture, because you don't know what went on behind the scenes. Apple could have been readying a bug fix as the kid was the second person (according to MR) to contact Apple. It just so happens the timing was a coincidence.
[doublepost=1549595680][/doublepost]

To be fair, she did discover one of the biggest iOS security bugs ever.

Definitely not the biggest as the remediation is if your phone rings and you go to the screen, you can see what is going on. I tried it with two phones in my house.

The biggest bugs are some of the zero day vulnerabilities such as the wifi and bluetooth vulnerabilities, for example, that were fixed in ios 10 that could just take over your phone without any recourse.

 

[theapplehead]

Following the release of iOS 12.1.4, Apple today issued an apology to customers and said that it had found and fixed the Group FaceTime bug and an additional security vulnerability involving Live Photos in the FaceTime app.

From a statement provided to MacRumors:Going forward, Apple says that the Live Photos feature will not be available in FaceTime on older versions of iOS and macOS. Capturing a Live Photo will require iOS 12.1.4 or the new version of macOS 10.14.3. Apple is also restricting Group FaceTime from devices running earlier versions of iOS.

Apple in a security document released this morning outlines the specific fixes that were implemented in iOS 12.1.4 and the macOS 10.14.3 supplemental update.

Apple fixed a logic issue that existed in the handling of Group FaceTime calls with improved state management, and the Group FaceTime testing led to the discovery of the Live Photos issue. Apple says that the Live Photos bug was fixed with "improved validation on the FaceTime server."

Additional Foundation and IOKit bugs were fixed in iOS as well, addressing memory corruption issues that could lead to elevated privileges for applications.

Apple lists Grant Thompson of Catalina Foothills High School as one of the people who discovered the FaceTime bug. Thompson and his mother made multiple attempts to get into contact with Apple to inform the company of the bug well ahead of when it went public. Daven Morris of Arlington, TX is also listed as a person who discovered the vulnerability and reported it to Apple.

Apple has apologized for missing those messages and has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people. Apple will be compensating the Thompson family for finding and reporting the bug, and Apple will be providing an additional scholarship to be put towards Thompson's education.

Article Link: Apple's iOS 12.1.4 Update Also Fixes Live Photos Vulnerability, FaceTime Bug Reporter to Receive Bounty and Gift Toward Education

Anyone know anything about this information regarding Google released by Apple Insider? Let me know if this is new information or not

https://www.google.com/amp/s/applei...loited-by-hackers-google-researcher-says/amp/

 

[urnotl33t]

But can't the customers just take the bug reports directly to the engineers???

No no no.. I talk to the customers, and then tell that to the engineers!

 

[69Mustang]

I'm glad they found and fixed the Live Photos bug while fixing this one, and they didn't need another high school kid to find that one.

Good thing they fixed the Live Photos bug, Foundation bug and the IOKit bug. The last two were actually exploited in the wild. Google Project Zero actually found both. But at least they're not another high school kid. Probably should have been credited in the MR article.
CVE-2019-7286 and CVE-2019-7287