Apple Releases Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit
On Wednesday, Apple rolled back security bug fixes for iOS, iPadOS, and macOS Sonoma in older versions after it was discovered that they were being used as part of the Coruna kit.
Vulnerability, followed by CVE-2023-43010relates to an unspecified vulnerability in WebKit that can lead to memory corruption when processing poorly crafted web content. The iPhone maker said the issue was addressed through improved management.
“This fix related to the Coruna exploit kit was shipped with iOS 17.2 on December 11, 2023,” Apple said in an advisory. “This update brings those fixes to devices that can’t upgrade to the latest version of iOS.”
The fix for CVE-2023-43010 was first released by Apple in the following versions –
The latest round of fixes to bring it to older versions of iOS and iPadOS –
- iOS 15.8.7 and iPadOS 15.8.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- iOS 16.7.15 and iPadOS 16.7.15 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch first generation
In addition, iOS 15.8.7 and iPadOS 15.8.7 include patches for three additional vulnerabilities related to the Coruna exploit kit –
- CVE-2023-43000 (Originally fixed in iOS 16.6, released July 24, 2023) – A post-free implementation issue in WebKit that could lead to memory corruption when processing poorly designed web content.
- CVE-2023-41974 (Initially fixed in iOS 17, released on September 18, 2023) – A post-free use issue in the kernel that could allow an app to run arbitrary code with kernel privileges.
- CVE-2024-23222 (Initially fixed in iOS 17.3, released January 22, 2024) – A type of confusion issue in WebKit that could lead to incorrect code execution when processing poorly designed web content.
Details of Coruna emerged earlier this month after Google said the exploit kit contained 23 features across five chains designed to target iPhone models running iOS versions between 13.0 and 17.2.1. iVerify, which tracks the malware framework that uses the exploit kit under the name CryptoWaters, said it has similarities to previous frameworks created by threat actors working with the US government.
The development comes amid speculation that Coruna may have been designed by US military contractor L3Harris and that it may have been passed on to Russian exploit vendor Operation Zero by Peter Williams, the company’s former general manager who was sentenced to more than seven years in prison last month for selling dozens of exploits for money.
An interesting feature of Coruna is the use of two vulnerabilities (CVE-2023-32434 and CVE-2023-38606) that were equipped as zero days in a campaign called Operation Triangulation targeting users in Russia in 2023. Kaspersky told Hacker News that it is possible that their team will come up with enough skills, if they provide enough skills for their team to be skilled enough for publicly available applications.
“Despite our extensive research, we are not aware that Operation Triangulation is related to any known APT group or development company,” Boris Larin, chief security researcher at Kaspersky GReAT, told Hacker News via email.
“To be precise: neither Google nor Verify in their published research claims that Coruna also uses the Triangulation code. What they identify is that the two functions in Coruna – Photon and Gallium – target the same vulnerability. That is an important difference. In our opinion, the attribution cannot be based only on the fact of exploiting this flaw.”
