GoKawiilApple has detailed the security content for iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, confirming that the updates address the Coruna vulnerability disclosed last week by Google and iVerify. Here are the details.
Apple moved quickly after the Coruna exploit became public
A few days ago, Google and iVerify published details on Coruna, an exploit that chained multiple vulnerabilities to target iPhones running older iOS versions.
In a nutshell, the exploit leverages five full iOS exploit chains and 23 vulnerabilities to vulnerable devices running iOS 13 through iOS 17.2.1.
Earlier today, Apple released iOS 16.7.15, iOS 15.8.7, iPadOS 16.7.15, and iPadOS 15.8.7, stating only that the system updates contained “important security fixes”.
Now, Apple has published the security content for the updates, confirming that they address kernel and WebKit vulnerabilities associated with the Coruna exploit, and that they fix it on “devices that cannot update to the latest iOS version.”
Here’s the full security content for iOS 15.8.7 and iPadOS 15.8.7:
Kernel Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: An app may be able to execute arbitrary code with kernel privileges. This fix associated with the Coruna exploit was shipped in iOS 17 on September 18, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: A use-after-free issue was addressed with improved memory management. CVE-2023-41974: Félix Poulin-Bélanger WebKit Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to arbitrary code execution. This fix associated with the Coruna exploit was shipped in iOS 17.3 on January 22, 2024. This update brings that fix to devices that cannot update to the latest iOS version. Description: A type confusion issue was addressed with improved checks. WebKit Bugzilla: 267134 CVE-2024-23222 WebKit Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to memory corruption. This fix associated with the Coruna exploit was shipped in iOS 16.6 on July 24, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: A use-after-free issue was addressed with improved memory management. WebKit Bugzilla: 255951 CVE-2023-43000: Apple WebKit Available for: iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation) Impact: Processing maliciously crafted web content may lead to memory corruption. This fix associated with the Coruna exploit was shipped in iOS 17.2 on December 11th, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 260913 CVE-2023-43010: Apple
And here’s the full security content for iOS 16.7.15 and iPadOS 16.7.15:
WebKit Available for: iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation Impact: Processing maliciously crafted web content may lead to memory corruption. This fix associated with the Coruna exploit was shipped in iOS 17.2 on December 11th, 2023. This update brings that fix to devices that cannot update to the latest iOS version. Description: The issue was addressed with improved memory handling. WebKit Bugzilla: 260913 CVE-2023-43010: Apple
... continue reading