Back to Home

Cyberattacks on iOS 13-17: Apple warns

Apple warns owners of outdated iOS about attacks using Coruna and DarkSword exploits. Patches released on March 11 for iOS 15.8.7 and 16.7.15. Update or activate Lockdown Mode for protection is recommended.

Coruna and DarkSword Exploits Attack iOS: Apple Notifications
Advertisement 728x90

# Apple Warns of Cyberattacks on Outdated iOS: Coruna and DarkSword Exploits

Apple is sending critical notifications to owners of devices running iOS 13, 14, and 17, as well as iPadOS. Messages from the Settings app warn about ongoing attacks using Coruna and DarkSword exploits. These exploit chains target vulnerabilities in versions from iOS 13 to 17.2.1, enabling remote access via malicious links or websites.

Attack Mechanisms and Scope

Notifications appear on the lock screen as Critical Software alerts. Apple has confirmed attacks on iOS 17.0 and earlier. Affected devices are those that haven't received the March 11 patches: iOS 15.8.7, iOS 16.7.15, and equivalent iPadOS versions.

The Coruna and DarkSword exploits are triggered by minimal interaction:

Google AdInline article slot
  • Clicking a malicious link.
  • Visiting a compromised website.

This leads to device compromise, data extraction, and potential persistent access.

For iOS 13/14, an intermediate update to iOS 15 is required, followed by the patch. iOS 15–17 versions with the latest updates are protected by default.

Protection Recommendations

Apple recommends the following steps to minimize risks:

Google AdInline article slot
  • Update the OS: Install iOS 15.8.7+ or iOS 16.7.15+ via Settings > General > Software Update.
  • Lockdown Mode: Enable in Settings > Privacy & Security > Lockdown Mode (available on iOS 16+). It restricts features to reduce the attack surface.
  • Avoid suspicious links: Don't open unknown URLs in Safari or iMessage.
  • Monitor notifications: Check system alerts on the lock screen.

| iOS/iPadOS Version | Status After March 11 Patch | Required Actions |

|-------------------|-----------------------------|---------------------|

| 13–14.x | Vulnerable | Update to 15, then patch |

Google AdInline article slot

| 15.x (up to 15.8.7) | Vulnerable | Install 15.8.7+ |

| 16.x (up to 16.7.15)| Vulnerable | Install 16.7.15+|

| 17.0–17.2.1 | Vulnerable | Update to 17.2.2+|

| 15–17 (latest) | Protected | Keep updates current |

Technical Details of the Exploits

Coruna and DarkSword are zero-click or one-click exploit chains targeting WebKit and kernel vulnerabilities. They bypass Safari's sandboxing, escalating privileges to root. Analysis reveals use of CVEs in JavaScriptCore and IOKit drivers.

Developers should consider:

  • Testing WebView on vulnerable iOS versions.
  • Isolating network requests in apps.
  • Logging suspicious JS executions.

Lockdown Mode disables JIT in WebKit, blocks message attachments, and restricts peer-to-peer connections, neutralizing many attack vectors.

Key Points

  • Active Exploits: Coruna and DarkSword are live on iOS 13–17.2.1; March 11 updates close the zero-days.
  • Broad Scope: Notifications for all vulnerable devices; iOS 13/14 require staged updates.
  • Lockdown Mode as Fallback: Effective against targeted attacks, but reduces usability.
  • Proactive Alerts: Apple monitors threat intelligence in real time.
  • Latest Versions Protected: iOS 15–17 patched; focus on legacy devices.

Mid/senior-level developers: Integrate WKWebView with content blockers, monitor ATS logs for anomalies. For enterprise, enforce MDM with mandatory updates and Lockdown Mode.

— Editorial Team

Advertisement 728x90

Read Next