Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit

Apple released fixes for a security hole in iOS, iPadOS, and macOS Sonoma on Wednesday. This hole was found to be part of the Coruna exploit kit. The vulnerability, known as CVE-2023-43010, has to do with an unknown flaw in WebKit that could cause memory corruption when processing web content that was made to be harmful.

The company that makes the iPhone said that better handling fixed the problem. Apple said in an advisory, "This fix for the Coruna exploit kit was sent out with iOS 17.2 on December 11, 2023."

"This update gives that fix to devices that can't get the newest version of iOS." Apple first released fixes for CVE-2023-43010 in the following versions: iOS 17.2, iPadOS 17.2, macOS Sonoma 14.2, and Safari 17.2. The most recent round of fixes brings it to older versions of iOS and iPadOS: iOS 15.8.7 and iPadOS 15.8.7.

It works with the iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). iOS 16.7.15 and iPadOS 16.7.15 work with the iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation. Additionally, iOS 15.8.7 and iPadOS 15.8.7 include fixes for three more Coruna-related vulnerabilities.

CVE-2023-43000 (first fixed in iOS 16.6, released on July 24, 2023) is an exploit kit that has a use-after-free bug in WebKit that could corrupt memory when processing web content that was made to be harmful.

CVE-2023-41974 (first fixed in iOS 17, which came out on September 18, 2023) is a use-after-free problem in the kernel that could let an app run any code with kernel privileges. CVE-2024-23222 (fixed in iOS 17.3, which came out on January 22, 2024) is a type confusion problem in WebKit that could let malicious web content run arbitrary code. Earlier this month, Google said that the exploit kit has 23 exploits across five chains that are meant to target iPhone models running iOS versions 13.0 to 17.2.1. iVerify, which is keeping an eye on the malware framework that uses the exploit kit called CryptoWaters, said it is similar to other frameworks made by threat actors linked to the U.S.

the government There are rumors that the U.S. military contractor L3Harris made Coruna and that Peter Williams, a former general manager at the company who was sentenced to more than seven years in prison last month for selling several exploits for money, may have given it to Russian exploit broker Operation Zero. One interesting thing about Coruna is that it uses two exploits (CVE-2023-32434 and CVE-2023-38606) that were turned into weapons in a campaign called Operation Triangulation that went after Russian users in 2023. Kaspersky told ZeroOwl that any team with enough skill can make their own exploits, since both flaws have public implementations.

Boris Larin, the head security researcher at Kaspersky GReAT, told ZeroOwl in an email, "Despite our extensive research, we cannot link Operation Triangulation to any known APT group or exploit development company." "To be clear, neither Google nor iVerify's published research says that Coruna uses Triangulation's code again. What they find is that Photon and Gallium, two exploits in Coruna, both target the same weaknesses.

That is a very important difference. We believe that attribution cannot be solely predicated on the exploitation of these vulnerabilities.