Apple Patches Critical iOS 15.8.7 and iPadOS 15.8.7 Security Update

Apple has released iOS 15.8.7 and iPadOS 15.8.7, critical security updates that bring important vulnerability fixes to older devices that cannot run the latest iOS versions. The updates address several security issues, including vulnerabilities associated with the Coruna exploit that were previously patched in newer iOS releases.

The security update is available for iPhone 6s and later models, iPhone 7, iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation). These devices represent hardware that Apple no longer supports with the latest iOS versions, making this update particularly important for users who haven't upgraded to newer devices.

Kernel Vulnerability Fix

The most severe vulnerability addressed in this update is a kernel-level issue that could allow an app to execute arbitrary code with kernel privileges. This type of vulnerability is particularly dangerous because it provides attackers with the highest level of system access, potentially allowing them to bypass all security measures and take complete control of the device.

Apple notes that this fix was originally shipped in iOS 17 on September 18, 2023, but is now being backported to older devices. The vulnerability was identified as CVE-2023-41974 and was discovered by Félix Poulin-Bélanger. The fix addresses a use-after-free issue through improved memory management, a common type of vulnerability where software continues to use memory after it has been freed, potentially leading to crashes or code execution.

WebKit Vulnerabilities

Multiple WebKit vulnerabilities are also addressed in this update, affecting the browser engine that powers Safari and other web-based applications on iOS. These vulnerabilities could allow processing of maliciously crafted web content to lead to arbitrary code execution or memory corruption.

One notable WebKit vulnerability, CVE-2024-23222, involves a type confusion issue that has been addressed with improved checks. Type confusion vulnerabilities occur when a program mistakenly treats a variable as one data type when it's actually another, potentially allowing attackers to bypass security checks or execute unintended operations.

Another WebKit vulnerability, CVE-2023-43000, was originally fixed in iOS 17.2 and addresses memory handling issues that could lead to memory corruption. The update also includes fixes for vulnerabilities tracked as CVE-2023-43010 and CVE-2023-41974, all of which were previously patched in newer iOS versions but are now available for older devices.

The Coruna Exploit Connection

Several of the vulnerabilities addressed in this update are associated with the Coruna exploit, suggesting that these security issues were part of a larger exploit chain. By backporting these fixes to older iOS versions, Apple is ensuring that users of legacy devices receive protection against known exploit techniques, even if they cannot upgrade to the latest operating system.

Importance for Legacy Device Users

This security update is crucial for users of older Apple devices who may not be aware that their hardware is no longer receiving the latest iOS updates. Many users keep older devices for various reasons, including cost considerations or satisfaction with current functionality. However, running outdated software can expose devices to known security vulnerabilities.

The release of iOS 15.8.7 and iPadOS 15.8.7 demonstrates Apple's commitment to maintaining security across its device ecosystem, even for hardware that has reached end-of-life for major OS updates. This approach helps protect users who might otherwise be left vulnerable to exploits that have been patched in newer versions.

Installation Recommendations

Apple strongly recommends that all users of affected devices install this security update as soon as possible. The update can be downloaded through the Settings app under General > Software Update. Given the severity of the kernel vulnerability and the multiple WebKit issues addressed, delaying installation could leave devices exposed to potential attacks.

For users who have been hesitant to update due to concerns about performance on older hardware, this security-focused update may provide a more targeted improvement without the broader changes that sometimes accompany major iOS releases. The update focuses specifically on security fixes without introducing new features that might impact device performance.

This security release underscores the ongoing challenge of maintaining security across diverse device ecosystems and highlights the importance of regular software updates, even for devices that are several years old.