The Group FaceTime eavesdropping bug was one that was crucial enough to create outrage across the world. At the beginning of the month, Apple promised a fix, after disabling the service on their end, and now iOS 12.1.4 is available and we highly recommend you update to fix FaceTime. “iOS 12.1.4 provides important security updates and is recommended for all users“, is what the description says, but, in short, it fixes the Group FaceTime bug.
That’s not the only one that gets fixed though. According to Ben Hawkes on the Google Project Zero security team, this update also fixes two zero-day vulnerabilities. These are CVE-2019-7286 and CVE-2019-7287. The first allows an app to gain elevated privileges due to a memory corruption issue, and the second allows an app to execute arbitrary code with kernel privileges, due to the same memory corruption issue.
These, and others, are described in Apple’s Security Bulleting for iOS 12.1.4.
CVE-2019-7286 and CVE-2019-7287 in the iOS advisory today (https://t.co/ZsIy8nxLvU) were exploited in the wild as 0day.
— Ben Hawkes (@benhawkes) February 7, 2019