Apple on Wednesday backported fixes for a security flaw in iOS, iPadOS, and macOS Sonoma to older versions after it was found to be used as part of the Coruna exploit kit.
The vulnerability, tracked as CVE-2023-43010, relates to an unspecified vulnerability in WebKit that could result in memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was addressed with improved handling.
“This fix associated with the Coruna exploit kit was shipped in iOS 17.2 on December 11th, 2023,” Apple said in an advisory. “This update brings that fix to devices that cannot update to the latest iOS version.”
Fixes for CVE-2023-43010 were originally released by Apple in the following versions –
The latest round of fixes brings it to older versions of iOS and iPadOS –
- iOS 15.8.7 and iPadOS 15.8.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)
- iOS 16.7.15 and iPadOS 16.7.15 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation
What’s more, iOS 15.8.7 and iPadOS 15.8.7 incorporate patches for three more vulnerabilities associated with the Coruna exploit kit –
- CVE-2023-43000 (Originally fixed in iOS 16.6, released on July 24, 2023) – A use-after-free issue in WebKit that could lead to memory corruption when processing maliciously crafted web content.
- CVE-2023-41974 (Originally fixed in iOS 17, released on September 18, 2023) – A use-after-free issue in the kernel that could allow an app to execute arbitrary code with kernel privileges.
- CVE-2024-23222 (Originally fixed in iOS 17.3, released on January 22, 2024) – A type confusion issue in WebKit that could lead to arbitrary code execution when processing maliciously crafted web content.
Details of Coruna emerged earlier this month after Google said the exploit kit features 23 exploits across five chains designed to target iPhone models running iOS versions between 13.0 and 17.2.1. iVerify, which is tracking the malware framework that uses the exploit kit under the name CryptoWaters, said it has similarities to previous frameworks developed by threat actors affiliated with the U.S. government
The development comes amid speculation that Coruna was likely designed by U.S. military contractor L3Harris and that it may have been passed to Russian exploit broker Operation Zero by Peter Williams, a former general manager at the company who was sentenced to more than seven years in prison last month for selling several exploits in exchange for money.
An interesting aspect of Coruna is the use of two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign dubbed Operation Triangulation targeting users in Russia in 2023. Kaspersky told The Hacker News that it’s possible for any sufficiently skilled team to come up with their own exploits, given that both the flaws have publicly available implementations.
“Despite our extensive research, we are unable to attribute Operation Triangulation to any known APT group or exploit development company,” Boris Larin, principal security researcher at Kaspersky GReAT, told The Hacker News in an email.
“To be precise: neither Google nor iVerify in their published research claims that Coruna reuses Triangulation’s code. What they identify is that two exploits in Coruna — Photon and Gallium — target the same vulnerabilities. That’s an important distinction. In our opinion, attribution cannot be based solely on the fact of exploitation of these vulnerabilities.”
