CISA adds 3 iOS flaws to its catalog of known exploited vulnerabilities
- Thread starter JournalBot
- Start date
Yeah I'm... sort of at a loss as to why stuff patched in 2023 is newsworthy. Is this particular set of exploits unique? Is the fact that CISA is issuing a notice unusual? (I mean I guess under current DHS it might be unusual for CISA to do anything at all, but still.)
Upvote
-12
(21
/
-33)
The first sentence should’ve been “if you upgraded iOS since January 2024, please stop reading.”
Upvote
99
(116
/
-17)
This sounds like one of the professional tools that someone like the US government uses leaked and ended up on the black market. That would explain things like the seemingly high quality nature and even proper English comments rather than indications of Russian or Chinese origin.
Upvote
87
(88
/
-1)
I guess Private Browsing is different than opening an Incognito window in Firefox?
Upvote
1
(3
/
-2)
It's an article about 2nd-hand zero-days. Once a software company publishes that they've fixed a zero-day, most people probably expect that hackers would move on from using it, since it's patched. My interpretation is that this shows that hackers may be developing the hacks after the zero-day has been patched and details are available with the intent/knowledge that not everyone will be up to date immediately.
Upvote
74
(75
/
-1)
I see it as evidence of why using an "unsupported" old iOS device (that no longer gets security updates) is not worth it. Bad actors are clearly still using those exploits even though they have been patched. It's a good PSA for those who are unaware of what threats are out there
Upvote
62
(62
/
0)
wired (ars's sister publication) did an article about this the other day
https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/
most likely was developed by a three letter agency or contracted out and then somehow smuggled
Upvote
24
(24
/
0)
CISA commonly releases direction for federal agencies (and folks at large) to patch old exploits that have been out for a while when they start seeing upticks in them being used or attempting to be used by bad actors.
CVE-2018-8639 as an example was patched back in 2018. Impacts most of Windows 10, as well as Windows Server 2012 R2, etc. A lot of these operating systems are still in use today, and often are not patched. This was added to CISA's Known Exploited Vulnerabilities list on Tuesday, since it's cropping up out in the wild.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog has plenty of nifty things that they recommend federal agencies patch against. It's not a bad idea to follow its guidance if you're able. I'd say you can point to it and tell bosses "See, the Feds say it should be patched, please give me the budget for updates!" but with the current federal government, don't know how much weight that will actually carry these days.
Upvote
35
(35
/
0)
Definitely feels like Shadow Brokers and Equation Group sort of situation.
Upvote
5
(5
/
0)
Are we saying that federal agencies don't have very strict security policies, audits and reporting in place to make sure these things are kept up to date?
I get an automated email at work within 48 hours of the latest iOS update being approved to tell me to install it (if I haven't noticed the device prompt me already). I'd be contacted by the service desk if I left it long enough without allowing the patch to install. Certainly long before the two years mentioned as the last vulnerable version in this article.
For exactly this reason. No-one wants to be nailed by a zero day if there's a patch available...
Upvote
23
(23
/
0)
Your suspicions are (probably) correct. There's a very high likelihood that an employee at a defense contractor sold these secrets. He got 87 months which feels extremely light. This situation was discussed on the most recent Risky Business podcast episode.
Upvote
30
(30
/
0)
Wow, i never expected an article like this from Ars. It took a 3rd of the article’s length to reveal that this is something that’s specific for older iOS versions. Also, the title is hella clickbaity.
Upvote
-3
(21
/
-24)
Yes, this is specific to older iOS versions, but the fact that there are professionally engineered comprehensive packages out there to compromise iPhones isn't specific to older versions.
Upvote
16
(17
/
-1)
When Apple was looking around for code they could base their own browser on they evaluated Mozilla (Firefox uses this) and found it to be bloated, full of legacy cruft and difficult to maintain. It is why they chose KHTML....and Safari is WebKit-based.
One of Google's justifications for going to Chromium from WebKit (for Chrome) is there is so much legacy cruft in WebKit that it is bloated and difficult to maintain.
Because of WebKit's history, and that large chunks of it were written before modern browser code hardening practices, I won't use Safari on my MacOS devices, just Firefox.
But to each, their own, I suppose.
Google chose WebKit to base their project on because it was the best option. Google only began significantly deviating from WebKit when they wanted to implement features faster than Apple was doing. The key example is the split process model.
There is no modern browser that wasn’t written before modern code hardening practises became the norm.
There has been significant changes to the HTML, CSS and ECMAScript specs over the last 20 years. But because the web is a place that values legacy compatibility so highly, all browsers are going to be full of code that won’t be used by modern sites.
Given that Chromium is poisoned by Google’s desire to ensure that tracking and fingerprinting remain possible (the only thing that Google truly cares about securing is their bottom line) I have yet to see any option better than WebKit.
That is even before we consider iCloud private relay which makes it even more secure.
Upvote
48
(50
/
-2)
“Advanced capabilities of Coruna include a never-before-seen JavaScript framework that uses a unique obfuscation method to prevent detection and reverse engineering.”
Upvote
0
(5
/
-5)
I'd like to offer a gentle correction: When Apple was looking for a browser engine, they evaluated Netscape. Netscape (and then Mozilla) were quite aware of Netscape's legacy cruft, which is why they started a ground-up rewrite: Gecko. But Mozilla's Gecko engine wasn't far enough along to be a viable option for Apple (at least, not on the timeline they wanted).
Safari was introduced in January 2003.
Mozilla v0.1 (not a typo) was released in September 2002. (1.0 was released in 2004.)
Everything else you wrote is dead on target!
Upvote
24
(24
/
0)
The linked Apple blog note looks like an important article but I don’t understand a lot of it. Does anyone else have an opinion of its credibility?
Thanks!
Upvote
0
(2
/
-2)
that doesnt answer the question.
"Historical" means is this about exploits that happened historically and were exploited at the time or is it post 2024 and just about people who didnt patch. Most iOS users update within a few months so those are drastically different sizes of pools of victims
Upvote
-6
(0
/
-6)
Going by my website's traffic, about 2 to 3% of iOS users are still on vulnerable versions.
About half of iOS users upgrade within the first 3 months, and about 75% in the first 6 months. It gets much slower after that.
2 of the 3 vulnerabilities were in WebKit.
Apple famously do a decent job of rolling out operating system updates. However their contemporaries show them they could be significantly faster at rolling out rendering engine updates, by not tying Safari updates to operating system updates.
Last edited:
Upvote
12
(13
/
-1)
As recently as a few years ago, Mac users sometimes got separate Safari updates.
Upvote
7
(7
/
0)
Try to keep up kid.
"Devices listed in the NATO Information Assurance Product Catalogue (NIAPC) are commercial security products built in NATO member states, designed to protect NATO or national classified information. They meet strict information security standards, undergo NATO or national vetting, hold recognized certifications like Common Criteria or INFOSEC approvals, and receive explicit approval for handling classified data, often up to levels such as NATO Restricted or NATO Secret.
iPhone and iPad are the first consumer devices cleared for NATO’s ‘RESTRICTED’ classification."
Upvote
5
(7
/
-2)
RickRoyLeonPrisZhoraRacha
Ars Scholae Palatinae
I'm concerned how Apple doesn't disclose Security updates. Sure, they are responsible to shareholders and don't want to tip the AAPL cart. And there is the notion to not alert those criminals/miscreants/state actors that exploit flaws they patch. Cat and mouse, they say.
But I feel Apple is doing a disservice to customers that keep their iOS devices, e.g. paid for iPads or iPhones, and not spending funds on longevity support. Rather, create e-waste, buy our new product that we support for "maybe" up to seven years, and abandon after nine years. Perhaps legislation that not just includes California to support devices made by Apple. And why is that? Surely a trillion-dollar entity like Apple, can have a legacy iOS patch group of engineers. Or if its a cost issue, give the Apple user a better deal on trade in, instead of some petty US$50 off a US$500 iPad.
Says the Arsian that has an iPad that is running and no longer supporting past the iOS 17 system. Sigh. Well, let's see what iPad is on sale....
But I feel Apple is doing a disservice to customers that keep their iOS devices, e.g. paid for iPads or iPhones, and not spending funds on longevity support. Rather, create e-waste, buy our new product that we support for "maybe" up to seven years, and abandon after nine years. Perhaps legislation that not just includes California to support devices made by Apple. And why is that? Surely a trillion-dollar entity like Apple, can have a legacy iOS patch group of engineers. Or if its a cost issue, give the Apple user a better deal on trade in, instead of some petty US$50 off a US$500 iPad.
Says the Arsian that has an iPad that is running and no longer supporting past the iOS 17 system. Sigh. Well, let's see what iPad is on sale....
Upvote
-6
(0
/
-6)
Because not everyone keeps their phone up-to-date, or they're on an older phone that can't be updated to iOS 18.x.
Upvote
3
(3
/
0)
When I worked retail (through mid-2024), I saw a lot of customers who were looking for cases for older iPhones, which had long since been sunset by Apple. A lot of 6, 7, and 8 devices. Pretty much all of them looked like they would qualify for a senior discount somewhere, but that’s just my estimate.
These are the people who are still quite vulnerable to these exploits. And, personal opinion, they’re also among the least aware that they’re even at risk.
These are the people who are still quite vulnerable to these exploits. And, personal opinion, they’re also among the least aware that they’re even at risk.
Upvote
3
(3
/
0)
If you look at the effort of 4+ page comments -deep true believers defending Google/Android .. at a minimum it’s plausible fodder to help defray criticism that Ars is soft on Apple.
Upvote
-1
(0
/
-1)
Seems to me like this was probably in that collection that Chinese APTs stumbled across that belonged to the NSA back in 2024.
Upvote
0
(0
/
0)
The impressive features of this kit is not that most of the known exploits have been patched, but that it is modular, well-documented, and resilient command and control. Five full multi-stage exploit chains to choose from, named and targeted for very specific iOS versions, implies some degree of competence.
The article links to the Google Threat Intelligence post that describes some of the victim categories over the history of this exploit kit, throughout the year 2025. Note that the active threats late in the year is how Google finally collected the entire thing.
First commercial surveillance software, then Ukrainian users targeted by a suspected Russian espionage group, then fake Chinese gambling sites to steal cryptocurrency. Presumably the price of the kit goes down as the exploits are burned, given this it might not take many crypto users with poor opsec to be profitable.
Notice the proliferation from commercial use, to military and state espionage, to theft. Promising selling exploits to only state actors that are legitimate by some definition is a lie, that tech will escape.
Upvote
1
(1
/
0)
