Apple reactivates old iPhone and iPad patches to stop Coruna operating kit

Apple has moved tab to protect older iPhone and iPad models after the detection of an operating kit that took advantage of WebKit engine failures. The company has reintroduced corrections that were already present in recent versions of the operating system and has packed them in updates for devices that cannot install the latest version of iOS.

The main failure linked to this round of patches appears in the vulnerability database as CVE-2023-43010, and it is described as a weakness in WebKit that could cause memory corruption by processing web content manipulated for malicious purposes. According to Apple, the solution goes through better internal engine management that prevents specially designed pages or scripts from triggering that unwanted behavior.

Initially, the correction for this problem was published in relatively new versions - including iOS 17.2, iPadOS 17.2 and macOS Sonoma 14.2 - and has now been "backcover" to previous branches of the system to reach terminals that can no longer be updated to the latest editions. Apple has detailed these patches on its official support pages, for example in the notes of iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2 and Safari 17.2 as well as in specific notices for older versions iOS 15.8.7 and iPadOS 15.8.7 and iOS 16.7.15 and iPadOS 16.7.15.

The update that affects iOS 15.8.7 and iPadOS 15.8.7 is not limited to CVE-2023-43010: it includes patches for several additional vulnerabilities that were being exploited within the same attack framework. These include: CVE-2023-43000, described as a "use-after-free" on WebKit; CVE-2023-41974, a use-after-free problem in the kernel with potential for code execution with core privileges; and CVE-2024-23222, a confusion-like vulnerability in WebKit that could allow arbitrary code execution by processing malicious web content. In practical terms, these failures allow an attacker to exploit them, run code on the device or scale privileges, making them very serious compromise vectors.

All this is linked to a set of exploits known as "Coruna," which security researchers and response teams have associated with a kit that brings together multiple attack chains. Technical reports - which have described more than twenty exploits grouped into several chains - show that the kit was oriented to iOS versions from 13.0 to 17.2.1. Groups that monitor malware and exploits, such as iVerify, have documented the use of Coruna in campaigns that deliver a larger attack framework (sometimes referred to as CryptoWaters), and the findings have been publicly analysed by different laboratories.

In parallel, journalistic statements have emerged about the possible origin of some parts of the code. According to these information, tools and exploits used by Coruna could have been developed by actors linked to the defence sector and subsequently filtered or sold to intermediaries. The names cited in the coverage have included a former director of a contractor who was convicted of transactions with vulnerabilities; however, the powers in this area are often complex and it is common for researchers to ask for caution before drawing definitive conclusions.

Another major consequence of the case is the re-use of vulnerabilities: Coruna incorporates exploits that point to failures already observed in previous campaigns, such as some that were grouped under the label "Operation Triangulation" the previous year. Security experts have stressed that coincidence in the exploited vulnerabilities does not necessarily imply that the code has been copied. A team with sufficient expertise can develop different exploits that point to the same weakness, and therefore attribution requires more extensive technical and contextual evidence than the simple re-use of failures.

In view of this picture, the main message for users and IT managers is simple: update the software when possible and apply the patches Apple has published for supported versions. Even when a device cannot receive the last iteration of the system, the retrocompatible updates Apple has released offer a critical defense layer against this type of threat. In addition, it is appropriate to maintain prudent browsing habits, avoid opening links or files of doubtful origins and review the security settings of the browser and system.

The proliferation of kits such as Coruna recalls that the safety of mobile devices is no longer just a matter of patches: it is an ecosystem where actors with different incentives compete for exploits, where technical findings can travel between markets and where transparency in research and speed in mitigation mark the difference between a controlled incident and a massive gap. For those who want to deepen the technical details of the corrected failures, Apple notes and public vulnerability databases are a good starting point and are available on the support pages and the NVD linked to this article.