Apple Issues Security Updates for Older iOS Devices

What Happened

Apple has issued emergency security updates for older, unsupported versions of iOS and iPadOS to address a critical vulnerability actively exploited by the Coruna exploit kit. The updates, released on Wednesday, backport a fix originally issued in September 2023 for newer operating systems. The flaw, a WebKit memory corruption bug tracked as CVE-2023-43010, is now patched for devices running iOS 16.7.6 and iPadOS 16.7.6. This action was taken after threat intelligence confirmed the vulnerability was being weaponized in real-world attacks against these legacy systems.

Why It Matters

This incident is significant for two primary reasons. First, it demonstrates a clear shift in attacker focus towards exploiting older, unpatched systems that users and organizations often assume are no longer targeted. Second, Apple’s decision to backport a patch breaks from its typical support lifecycle, underscoring the severity of the in-the-wild exploitation. For enterprises with fleets of older iPads or iPhones used for kiosks, specialized applications, or by employees, this update is critical. It highlights the persistent risk posed by legacy assets in any network, which can serve as easy entry points for broader compromise.

Technical Details

The exploited vulnerability, CVE-2023-43010, is a type confusion issue within the WebKit browser engine. Successful exploitation allows an attacker to execute arbitrary code on the victim’s device. The Coruna exploit kit delivers this exploit through compromised or malicious websites. When a user visits such a site with a vulnerable device, the kit triggers the flaw to gain code execution, typically as a precursor to deploying surveillance payloads or cryptocurrency theft malware. The fix addresses the flaw in the following versions: iOS 16.7.6 and iPadOS 16.7.6. Devices that can upgrade to iOS/iPadOS 17 are not affected, as they received the patch earlier.

Immediate Risk

The immediate risk is HIGH for users and organizations still operating devices on iOS/iPadOS versions prior to 16.7.6. These systems are actively being targeted, and exploitation can lead to a complete device compromise. The Coruna kit has been linked to cyber-espionage and financial theft campaigns, meaning successful attacks could result in data exfiltration, credential theft, or financial loss. The availability of the patch reduces the risk significantly, but only if applied. The urgency to update eligible legacy devices is critical.

Security Insight

This event is a stark reminder that “unsupported” does not mean “unexploited.” Security teams must maintain an accurate inventory of all endpoint operating systems, including mobile and IoT devices, and have a clear policy for managing legacy systems that cannot receive standard updates. For devices that must remain on older OS versions, consider implementing additional network segmentation, strict web filtering, and application allow-listing to reduce the attack surface. Proactive patch management for all assets, regardless of age, remains a foundational security control.