Apple Patches Legacy iOS 15.8.7 and 16.7.15 Against Coruna Exploits

Legacy Device Security and the Coruna Exploit Chain

Apple has addressed a series of critical vulnerabilities in its legacy mobile operating systems by releasing iOS 15.8.7 and iOS 16.7.15. These updates are specifically designed to protect older hardware—including the iPhone 6s and iPhone 7—from a sophisticated Zero-Day exploit chain known as Coruna. This chain was originally identified in relation to the ‘Operation Triangulation’ campaign, which targeted mobile devices with advanced spyware. According to SecurityWeek, these patches extend protections to users who cannot upgrade to the latest major iOS versions, ensuring that historical CVE entries do not remain viable entry points for attackers.

Apple iOS 15.8.7 Security Update Context

The release of the Apple iOS 15.8.7 security update is a response to the persistent threat of memory corruption and Privilege Escalation vulnerabilities that bypassed standard operating system protections. The Coruna exploits are notable for their ability to achieve persistent access without requiring user interaction. While newer devices received these patches in 2023, the threat to legacy systems remains significant, as many organizations continue to use older hardware for specific operational tasks or legacy application support.

Technical Analysis: Memory Corruption and Hardware Register Bypass

The Coruna exploit chain relies on several high-impact vulnerabilities. The primary component involves CVE-2023-32434, an integer overflow in the kernel. By exploiting this flaw, an attacker can achieve arbitrary kernel-level code execution. This is frequently paired with CVE-2023-32435, a memory corruption vulnerability within the WebKit engine. In a typical TTP for this chain, an attacker lures a target to a malicious website or delivers a payload via iMessage, triggering the WebKit flaw to gain initial access before escalating privileges via the kernel overflow.

Detection and Mitigation of Triangulation Spyware

A critical element of this campaign is the bypass of hardware-based security features. Identifying how to detect CVE-2023-38606 exploit activity is essential for forensic analysts. CVE-2023-38606 allowed attackers to bypass hardware-level protections by writing directly to specific hardware registers not intended for software access. This level of technical sophistication suggests a highly capable APT or advanced mercenary group. To counter these threats, Triangulation spyware mitigation requires both the software patches provided by Apple and a rigorous inspection of system logs for unauthorized kernel state modifications.

Defensive Recommendations and Remediation

Organizations maintaining legacy hardware must prioritize the deployment of these updates. The risk of RCE on unpatched devices remains high, especially as proof-of-concept exploits for several stages of this chain are publicly documented.

1. Immediate Patching: Ensure all iPhone 6s, iPhone 7, iPhone SE (1st Gen), and iPad Air 2 devices are updated to iOS 15.8.7. Newer legacy devices should move to iOS 16.7.15.
2. Network Monitoring: Monitor for IoC patterns associated with Operation Triangulation, specifically unusual outbound traffic to unknown C2 infrastructure from mobile assets.
3. Device Retirement: Evaluate the necessity of legacy devices. If a device cannot support the latest security features, it should be isolated or phased out as part of a Zero Trust architecture.

By addressing these legacy vulnerabilities, defenders can close the gap that sophisticated threat actors exploit to maintain long-term persistence within corporate environments.