Reprinted from TidBITS by permission; reuse governed by Creative Commons
license BY-NC-ND 3.0. TidBITS has offered years of thoughtful commentary
on Apple and Internet topics. For free email subscriptions and access to the
entire TidBITS archive, visit http://www.tidbits.com/


 Older iPhones and iPads Receive Critical Security Updates for Coruna Exploits

   Adam Engst

   Apple has released [1]iOS 15.8.7, [2]iOS 16.7.15, and their
   corresponding iPadOS versions to address four security vulnerabilities
   associated with the Coruna exploit kit'a collection of tools that could
   allow attackers to compromise iPhones through malicious websites. The
   updates bring critical security fixes to older devices that cannot
   upgrade to the latest iOS versions.

   Earlier this month, [3]Google revealed the existence of the Coruna
   exploit kit:

     Google Threat Intelligence Group (GTIG) has identified a new and
     powerful exploit kit targeting Apple iPhone models running iOS
     version 13.0 (released in September 2019) up to version 17.2.1
     (released in December 2023). The exploit kit, named 'Coruna' by its
     developers, contained five full iOS exploit chains and a total of 23
     exploits. The core technical value of this exploit kit lies in its
     comprehensive collection of iOS exploits, with the most advanced
     ones using non-public exploitation techniques and mitigation
     bypasses.

     'Ś

     The Coruna exploit kit is not effective against the latest version
     of iOS, and iPhone users are strongly urged to update their devices
     to the latest version of iOS. In instances where an update is not
     possible, it is recommended that [4]Lockdown Mode be enabled for
     enhanced security.

   Interestingly, Apple addressed these vulnerabilities years ago in iOS
   16 and 17 but never backported the fixes to older versions. Why not?
   Perhaps Apple didn't consider them worth fixing, or'more
   charitably'didn't realize these vulnerabilities had been discovered
   outside the company, since two of the four were found by Apple itself.
   Either way, it's evidence that Apple doesn't backport every security
   fix.

   Here are the affected devices'including the seventh-generation iPod
   touch from 2019, which is actually the newest of them; the rest came
   out from 2014 through 2017.

   iOS/iPadOS 15.8.7:
     * iPhone 6s and iPhone 6s Plus
     * iPhone 7 and iPhone 7 Plus
     * iPhone SE (1st generation)
     * iPad Air 2
     * iPad mini (4th generation)
     * iPod touch (7th generation)

   iOS/iPadOS 16.7.15:
     * iPhone 8 and iPhone 8 Plus
     * iPhone X
     * iPad (5th generation)
     * iPad Pro 9.7-inch
     * iPad Pro 12.9-inch (1st generation)

   If you (or people you know) are still using one of these devices (check
   in Settings > General > About since my experience is that people with
   much older devices often don't remember the precise model), I strongly
   recommend updating immediately via Settings > General > Software
   Update. The Google Threat Intelligence Group's research shows that
   these vulnerabilities have proliferated broadly, including to suspected
   Russian espionage groups and a financially motivated hacking group from
   China. In other words, these exploits aren't just being used against
   high-profile targets.

References

   1. https://support.apple.com/en-us/126632
   2. https://support.apple.com/en-us/126646
   3. https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit
   4. https://support.apple.com/en-us/105120

.