Apple on Wednesday backported a fix to an older version of iOS, iPadOS, and macOS Sonoma after a security flaw was discovered to be used as part of the Coruna exploit kit.
The vulnerability, tracked as CVE-2023-43010, is related to an unspecified vulnerability in WebKit that could lead to memory corruption when processing maliciously crafted web content. The iPhone maker said the issue was resolved through improved handling.
“This fix related to the Coruna exploit shipped in iOS 17.2 on December 11, 2023,” Apple said in an advisory. “This update applies a fix to devices that cannot be updated to the latest iOS version.”
A fix for CVE-2023-43010 was originally released by Apple in the following versions:
The latest round of fixes applies this issue to older versions of iOS and iPadOS.
iOS 15.8.7 and iPadOS 15.8.7 – iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) iOS 16.7.15 and iPadOS 16.7.15 – iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7 inch, and iPad Pro 12.9 inch 1st generation
In addition, iOS 15.8.7 and iPadOS 15.8.7 include patches for three more vulnerabilities related to the Coruna exploit.
CVE-2023-43000 (originally fixed in iOS 16.6 released on July 24, 2023) – Use-after-free issue in WebKit. It may lead to memory corruption when processing maliciously crafted web content. CVE-2023-41974 (Originally fixed in iOS 17, released September 18, 2023) – A use-after-free issue in the kernel could allow an app to execute arbitrary code with kernel privileges. CVE-2024-23222 (Originally fixed in iOS 17.3 released on January 22, 2024) – WebKit type confusion issue. Processing maliciously crafted web content may lead to arbitrary code execution.
Details about Coruna were revealed earlier this month after Google announced that the exploit kit contains 23 exploits across five chains designed to target iPhone models running iOS versions 13.0 to 17.2.1. iVerify, which tracks a malware framework that uses exploit kits under the name CryptoWaters, said the framework has similarities to previous frameworks developed by threat actors affiliated with the U.S. government.
The development comes amid reports that Coruna was likely designed by US military contractor L3Harris and may have been passed on to Russian exploit broker Operation Zero by the company’s former general manager Peter Williams, who was sentenced to more than seven years in prison for selling several exploits in exchange for money.
An interesting aspect of Coruna is the use of two exploits (CVE-2023-32434 and CVE-2023-38606) that were weaponized as zero-days in a campaign called “Operation Triangulation” that targeted Russian users in 2023. Kaspersky told The Hacker News that since implementations of both flaws are publicly available, any sufficiently skilled team could come up with their own exploits.
“Despite extensive investigation, the cause of Operation Triangulation cannot be attributed to any known APT group or exploit developer,” Boris Larin, Kaspersky GReAT’s lead security researcher, told The Hacker News via email.
“To be precise, neither Google nor iVerify claim in their published research that Coruna reuses code from Triangulation. What they do identify is that two of Coruna’s exploits (Photon and Gallium) target the same vulnerability. This is an important distinction. In our opinion, attribution is not based solely on the fact of exploitation of these vulnerabilities.”
Source link
