Apple fixes FaceTime eavesdropping bug, two iOS zero-days

Apple has pushed out critical security updates for iOS and macOS, which fix the “Facepalm” FaceTime eavesdropping bug but also two zero-day flaws that, according to Google researchers, have been exploited in the wild.

Fixed vulnerabilities

The Facepalm bug (CVE-2019-6223) affects FaceTime Groups both on iOS and macOS, and was discovered by Grant Thompson, a high schooler from Arizona.

After the existence of the flaw and demontration videos of its exploitation were made public, Apple decided to temporarily disable the FaceTime service until they can come up with a fix.

The flagging of this flaw also prompted Apple to do a thorough security audit of the FaceTime service, which lead to the discovery of a bug affecting with Live Photos (CVE-2019-7288).

We don’t know much about the two zero-days flagged by Google researchers, except that:

• CVE-2019-7286 affects the Foundation framework and is a memory corruption issue that could be exploited by an app to gain elevated privileges
• CVE-2019-7287 affects the IOKit framework and is a memory corruption flaw that could be exploited by an app to execute arbitrary code with kernel privileges.

Google and Apple are keeping mum on how these issues are being exploited.

Users are advised to update their iOS and macOS devices as soon as possible. Those who have disabled FaceTime on their devices when the Facepalm flaw was first publicized should remember to enable the service again.

Finally, those using the Shortcuts app for iOS should also update it to the newest version available (2.1.3).

The update fixes CVE-2019-7289, a parsing issue that could allow a local user to view sensitive user information, and CVE-2019-7290, an access issue that could allow a sandboxed process to circumvent sandbox restrictions.

The latter flaw can be exploited by attackers via malicious shortcuts, allowing them to steal targets’ sensitive and personal information.