Apple fixes two vulnerabilities and looks set to scrap 3D Touch

11 Jul 2019

Image: © blackzheep/Stock.adobe.com

Rumours about the removal of 3D Touch continue to circulate, while Apple has been managing two separate vulnerabilities relating to Zoom and the Apple Watch.

Yesterday (10 July), software engineer and cybersecurity researcher Jonathan Leitschuh exposed a major vulnerability in remote video conferencing service Zoom which primarily affected Mac users.

In a post on Medium, Leitschuh wrote: “This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, without the user’s permission.”

Leitschuh also said: “If you’ve ever installed the Zoom client and then uninstalled it, you still have a localhost web server on your machine that will happily reinstall the Zoom client for you, without requiring any user interaction on your behalf besides visiting a webpage.”

Zoom’s reaction to the major vulnerability was somewhat underwhelming, with the company initially defending the flaw, describing it as a “workaround” to solve another issue.

Leitschuh offered Zoom users a quick method of patching the vulnerability in his blogpost, but Apple decided to take action against the vulnerability after the news broke and silently updated millions of Macs.

In an automated update, which required no user action, Apple removed the hidden web server that Leitschuh criticised Zoom for installing on millions of computers.

Zoom spokesperson Priscilla McCarthy told TechCrunch: “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our user’s patience as we continue to work through addressing their concerns.”

Forbes remarked that this move by Apple was “unprecedented”. While Apple’s silent updates are common enough and used whenever malware has been detected, it is rare for the company to step in and resolve “an issued created by a well-known application after a public disclosure”.

Issues with the Apple Watch

In other news relating to Apple, the company has decided to temporarily disable the Walkie Talkie app on the Apple Watch, after a vulnerability was discovered.

Walkie Talkie was added to the Apple Watch last year with the release of WatchOS 5. It uses a tweaked form of FaceTime Audio to offer users push-to-talk calls.

Although the company has no evidence that this vulnerability was ever exploited, Apple decided it’s better to be safe than sorry – especially when other companies are facing so much criticism for leaving vulnerabilities and flaws unchecked.

Apple released a statement saying: “We were just made aware of a vulnerability related to the Walkie Talkie app on the Apple Watch and have disabled the function as we quickly fix the issue.

“We apologise to our customers for the inconvenience and will restore the functionality as soon as possible. Although we are not aware of any use of the vulnerability against a customer and specific conditions and sequences of events are required to exploit it, we take the security and privacy of our customers extremely seriously.

“We concluded that disabling the app was the right course of action as this bug could allow someone to listen through another customer’s iPhone without consent. We apologise again for this issue and the inconvenience.”

This is the second time Apple has had to disable a FaceTime calling feature in 2019. In January, the company had to take action after a bug allowing users to eavesdrop through FaceTime was discovered.

The end of 3D Touch?

As we near Apple’s annual autumn launch, there are plenty of rumours flying around about the announcements the company is set to make in the coming weeks. It’s almost certain that the next round of iPhones won’t be 5G compatible, so most of the speculation at this point relates to the next iPhone’s battery.

In news that may not come as a surprise to some users, Apple looks set to dump the iPhone’s 3D Touch feature, which was excluded from the XR model last September.

According to Digitimes, industry sources say that touch module manufacturers TPK Holding and General Interface Solution are still taking orders for legacy iPhone models, new iPads and new MacBoook models, but Apple may be removing 3D touch sensors from 2019 iPhone models.

Since January 2019, the Wall Street Journal and Barclays analysts have been among those suggesting that 3D Touch was going to be dropped this year, after it was absent from the iOS 13 betas. However, Craig Federighi from Apple insisted that this omission was just a bug.

The rumoured decision to remove the feature has been met with some criticism. Forbes called it “bad news for magical features” and claimed that Apple did not sufficiently commit to the technology behind 3D Touch.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com