Apple has released a iOS 12.1.4 with a fix for the bug that allowed FaceTime callers to listen in on a recipient’s iPhone even if the call was never answered.
The iOS 12.1.4 patch caps off a busy week for Apple on security and privacy issues, with the company responding not just a gaping FaceTime hole in iOS security but Facebook and Google being caught misusing its enterprise program for distributing data-collecting apps to the public that should have been restricted to employees of each company.
Apple last week apologized over the FaceTime bug, which affected iOS 12.1 and later, if both caller and recipient were on those versions of Apple's mobile OS. Group FaceTime arrived in iOS 12.1.
The bug was discovered by 14 year-old Grant Thompson of Arizona and reported by his mother in late January. Last week she publicly criticized Apple for the difficulties she faced reporting the bug.
Apple disabled the Group FaceTime feature about 10 days after her first attempts to contact it, but only after media outlets drew attention to the easily exploitable eavesdropping bug on January 28.
Apple’s handling of her report has attracted questions from US lawmakers about how it responds to bug reports, whether anyone besides Thompson had reported the bug, and when it first was aware of the issue.
According to Apple’s advisory, a Daven Morris of Arlington, Texas also reported the same bug, though it’s not known when Morris reported the bug.
Apple describes the impact as: “The initiator of a Group FaceTime call may be able to cause the recipient to answer.”
“A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management,” said Apple.
Despite the fix, it’s not clear yet when or whether Apple will re-enable the Group FaceTime feature it disabled on the server side.
iOS 12.1.4 also brings fixes for two memory corruption issues discovered by Google Project Zero.
Apple says it found a Live Photos flaw that was uncovered after a “thorough security audit” of the FaceTime service, which quite possibly happened in the days after the FaceTime bug was exposed.