Older iPhones and iPads Receive Critical Security Updates for Coruna Exploits

Originally published at: Older iPhones and iPads Receive Critical Security Updates for Coruna Exploits - TidBITS

Apple has released iOS 15.8.7, iOS 16.7.15, and their corresponding iPadOS versions to address four security vulnerabilities associated with the Coruna exploit kit—a collection of tools that could allow attackers to compromise iPhones through malicious websites. The updates bring critical security fixes to older devices that cannot upgrade to the latest iOS versions.

Earlier this month, Google revealed the existence of the Coruna exploit kit:

Google Threat Intelligence Group (GTIG) has identified a new and powerful exploit kit targeting Apple iPhone models running iOS version 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). The exploit kit, named “Coruna” by its developers, contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses.

…

The Coruna exploit kit is not effective against the latest version of iOS, and iPhone users are strongly urged to update their devices to the latest version of iOS. In instances where an update is not possible, it is recommended that Lockdown Mode be enabled for enhanced security.

Interestingly, Apple addressed these vulnerabilities years ago in iOS 16 and 17 but never backported the fixes to older versions. Why not? Perhaps Apple didn’t consider them worth fixing, or—more charitably—didn’t realize these vulnerabilities had been discovered outside the company, since two of the four were found by Apple itself. Either way, it’s evidence that Apple doesn’t backport every security fix.

Here are the affected devices—including the seventh-generation iPod touch from 2019, which is actually the newest of them; the rest came out from 2014 through 2017.

iOS/iPadOS 15.8.7:

• iPhone 6s and iPhone 6s Plus
• iPhone 7 and iPhone 7 Plus
• iPhone SE (1st generation)
• iPad Air 2
• iPad mini (4th generation)
• iPod touch (7th generation)

iOS/iPadOS 16.7.15:

• iPhone 8 and iPhone 8 Plus
• iPhone X
• iPad (5th generation)
• iPad Pro 9.7-inch
• iPad Pro 12.9-inch (1st generation)

If you (or people you know) are still using one of these devices (check in Settings > General > About since my experience is that people with much older devices often don’t remember the precise model), I strongly recommend updating immediately via Settings > General > Software Update. The Google Threat Intelligence Group’s research shows that these vulnerabilities have proliferated broadly, including to suspected Russian espionage groups and a financially motivated hacking group from China. In other words, these exploits aren’t just being used against high-profile targets.

Updated an iPhone SE (1st generation) yesterday. Currently is used as a music device.

Thank you for this post, Adam. I wouldn’t have known about this because Apple hasn’t sent any notice to update. I am in the process of updating my iPad Air 2 now. It is on Preparing Update and it’s forever!

Thank you Adam. I have a couple of those devices mainly for music purposes but they do connect online sometimes. Great help!

How right you are! I thought one here by my desk was an iPhone 6 but About says it’s an SE!

But it’s also on 16.6, so if I read your lists correctly, it’s already protected?

The only SW Update offered on it is 26.3.

No, you’ll need to install iOS 16.7.15—there have been 17 updates since 16.6.

Ack! so not only don’t I know what model it is but read your list wrong! Doh! will go to the link and see if things click in place then… Sorry!

You will not be able to install anything but 26.3 (though I think it really should be 26.3.1). If your phone is being offered iOS 26, you will not be able to install any other earlier version than that. iOS 16.7.15 is only offered for older phones that cannot run iOS 17 or newer.

This is always the way - if your phone can run the latest update, and you have not kept up to date, the latest release is all that you can install. Apple has stopped signing those older releases for all but the devices that were no longer offered iOS 17.

OK thanks @ddmiller that clarifies things! The device is fairly low risk, stays mostly at home, takes very rare phone calls and texts and is used on the go for shopping apps, more or less no web browsing or email etc. Will look into reducing any personal data that might be at risk in unusual case of compromise.

Thanks for the notice, Adam !
I would have not known about this update, otherwise. I have an “old” iPad (5th Generation), more or less an old spare at this point, to be used usually without access to the internet, but still…

Interestingly my 1st gen 12.9 inch iPad Pro is reporting that it is on iPadOS 16.7.8 and that it is up to date. Shouldn’t it be offering 16.7.15? What am I missing?

Have you tried swiping down on the software update screen? Sometimes you need to refresh the screen to see the available update. Also, double check the obvious, such as making sure you have a working network connection by visiting a website. My own iPad sometimes takes a while to connect to a network, even after opening an app or two.