Apple Patches CVE-2023-43010 WebKit Vulnerability in Older Devices

Apple has released a series of security updates targeting older versions of its mobile and desktop operating systems to address a flaw actively leveraged in the wild. This move comes as the tech giant backports protections for CVE-2023-43010, a memory corruption vulnerability in the WebKit engine that has been incorporated into the Coruna exploit kit. According to The Hacker News, these updates ensure that users on legacy software versions receive the same protections recently afforded to the latest stable releases of iOS and macOS.

Technical Analysis of CVE-2023-43010

The vulnerability, identified as CVE-2023-43010, resides within the WebKit framework, the engine powering the Safari browser and all web-view components across Apple’s ecosystem. The flaw is characterized as an unspecified memory corruption issue. When a user interacts with maliciously crafted web content, the vulnerability allows an attacker to bypass memory safety boundaries, potentially leading to RCE.

Because WebKit is integrated into numerous applications beyond the browser, the attack surface is significant. A Phishing campaign or a compromised website could serve as the delivery mechanism for the exploit. Security researchers often find that such Zero-Day or near-zero-day vulnerabilities are highly prized by APT groups for initial access. The discovery of an iOS 16 WebKit memory corruption fix being backported suggests that organizations still running older hardware remain high-value targets for attackers who specialize in mobile surveillance or data exfiltration.

Coruna Exploit Kit Mitigation for macOS and iOS

The most pressing aspect of this advisory is the link between the vulnerability and the Coruna exploit kit. Exploit kits are automated frameworks used by threat actors to identify and exploit vulnerabilities in a visitor’s web browser. By integrating CVE-2023-43010, the operators of Coruna can automate the delivery of secondary payloads once the initial WebKit compromise is successful.

Implementing Coruna exploit kit mitigation for macOS and iOS requires more than just perimeter defenses. Since the exploit kit targets the client-side browser engine, traditional EDR solutions on mobile devices may have limited visibility into the initial memory corruption event. Therefore, the primary line of defense is the application of the vendor-provided patch. Defenders analyzing their network traffic for IoC signatures should look for anomalous outbound connections following browser crashes, which may indicate a successful exploit attempt and subsequent C2 communication.

Assessing Impact on Older Infrastructure

Many organizations maintain older Apple devices for specific legacy applications or as part of a staggered hardware refresh cycle. This creates a window of opportunity for attackers. When researching how to detect CVE-2023-43010 exploit activity, SOC analysts should review SIEM logs for browser-related process crashes (e.g., WebContent process) on unpatched devices. If an attacker achieves Privilege Escalation following the initial WebKit breach, they may attempt Lateral Movement within the corporate network, particularly if the device is connected to a sensitive Zero Trust environment.

Recommendations and Remediation

The CVSS score and active exploitation history of this flaw necessitate immediate action. Apple has historically prioritized its latest operating systems, but the decision to backport this fix highlights the severity of the threat posed by the Coruna kit.

1. Update Immediately: Ensure all devices running iOS 16, iPadOS 16, or macOS Sonoma are updated to the latest minor version provided by Apple.
2. Browser Isolation: For high-risk users, consider utilizing browser isolation technologies to execute web content in a containerized environment, neutralizing the impact of a WebKit exploit.
3. Audit Legacy Devices: Inventory all Apple hardware to identify devices no longer receiving security updates. These should be decommissioned or isolated from the primary production network.

By following these steps, organizations can significantly reduce the risk of a Supply Chain Attack or data breach stemming from unpatched mobile vulnerabilities. Reviewing current TTP sets according to the MITRE ATT&CK framework can further help teams understand how mobile exploits fit into broader campaign strategies.