Apple kills eavesdrop bug in FaceTime

Apple has released a bundle of patches to fix security holes in OS X, iOS, iTunes and Safari.

The bevy of updates also includes fixes for a number of issues in Apple's iCloud and iTunes for Windows software.

Among the most startling vulnerabilities addressed in the updates is a man-in-the-middle flaw discovered in FaceTime by researcher Martin Vigo. That flaw, CVE-2016-4635, would allow an attacker who had access to network traffic to eavesdrop on the audio portion of FaceTime calls even after the user had been told a call had ended.

"User interface inconsistencies existed in the handling of relayed calls," Apple said.

"These issues were addressed through improved FaceTime display logic."

The fix for the issue is included in both the OS X security update and iOS 9.3.3.

Other updates include fixes for six remote code execution vulnerabilities in OpenSSL, seven remote code flaws in QuickTime, and nine CVE-listed flaws in the WebKit browser engine that would allow remote code execution, data disclosure, and denial of service attacks.

The WebKit flaws (12 in all) are addressed by the iOS 9.3.3 update and by Safari 9.1.2, which is available for OS X Mavericks (10.9.5), Yosemite (10.10.5), and El Capitan (10.11.6).

Windows users, meanwhile, should check their PCs for updates to iTunes and iCloud. The iTunes for Windows 12.4.2 release addresses 15 different CVE-listed flaws in libxml and libxslt, while iCloud for Windows 5.2.1 fixes those same flaws in the cloud software clients.

For those who have an Apple Watch, the watchOS 2.2.2 update will remedy 26 CVE-listed vulnerabilities, while the tvOS 9.2.2 update will patch 27 flaws.

Users can download the patches from Apple through the Software Update tool in OS X, iOS, or Windows. The watchOS can be downloaded and installed through iOS, while the tvOS update can be downloaded through the AppleTV "update software" screen. ®