Apple Releases Security Update With Fix for Group FaceTime Bug, Promises to Compensate Teenaged Finder



Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation

Impact: The initiator of a Group FaceTime call may be able to cause the recipient to answer

Description: A logic issue existed in the handling of Group FaceTime calls. The issue was addressed with improved state management.

CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX

I owe readers a correction. The way this bug presented itself caused me to think that video and microphone data was being transmitted from the device before the recipient answered the call. Apple’s phrasing in the “Impact” section here means that I misinterpreted how this bug behaved.

There are three additional security fixes in this update, including one for a vague vulnerability when using Live Photos during a FaceTime call. Apple says that customers who have not applied this security update will not be able to use Live Photos during a FaceTime call.

Juli Clover, MacRumors:

Apple has apologized for missing [the first reports of this bug] and has vowed to improve its bug reporting system to make sure future bug reports are distributed to the right people. Apple will be compensating the Thompson family for finding and reporting the bug, and Apple will be providing an additional scholarship to be put towards Thompson’s education.

Kudos. While they’re at it, Apple should also reward Linus Henze for the bug he found in the MacOS Keychain.