Critical iOS alerts: zero‑click spyware

Apple’s urgent push for critical software updates comes in response to the discovery of two highly sophisticated zero-click spyware threats, dubbed 'Coruna' and 'DarkSword,' which target vulnerabilities in older iOS versions. These exploits leverage flaws in WebKit, the engine behind Safari, and dyld, a dynamic linker used by iOS, to install malicious software without any user interaction, such as clicking a link or downloading a file. The attacks are particularly dangerous because they can compromise devices silently, potentially accessing sensitive data like messages, photos, and location information. (x.com) The spyware was first reported by cybersecurity researchers who identified active exploitation in the wild, primarily targeting high-profile individuals such as journalists, activists, and government officials. While the exact origin of the spyware remains unclear, experts suggest it bears hallmarks of state-sponsored actors or advanced persistent threat (APT) groups, similar to past incidents involving tools like Pegasus from NSO Group. Apple has not disclosed the number of affected users but confirmed that the vulnerabilities impact devices running iOS 17 and earlier, leaving millions of unupdated devices at risk. (theverge.com) In response, Apple began rolling out lock-screen alerts labeled 'Critical Software' to notify users of the urgent need to update their iPhones and iPads. These alerts bypass typical notification settings to ensure visibility, emphasizing the severity of the threat. The company released patches in iOS 17.1.2 and subsequent updates to address the WebKit and dyld vulnerabilities, urging users to install them immediately to block the exploits. Apple also reiterated its commitment to user security, stating it continuously monitors for such threats and collaborates with researchers to mitigate risks. (apple.com) The emergence of Coruna and DarkSword underscores the growing sophistication of zero-click attacks, which have become a preferred method for bypassing traditional security measures. Unlike phishing or malware requiring user action, these exploits can infiltrate devices through seemingly innocuous channels like iMessage or web browsing. Cybersecurity experts warn that as long as users delay updates, their devices remain exposed, and even patched systems may face new, undisclosed vulnerabilities in the future. (wired.com) Apple’s next steps include further investigation into the spyware’s spread and potential attribution to specific actors, though the company typically refrains from public speculation on perpetrators. Additionally, Apple is expected to enhance its BlastDoor security framework, introduced in iOS 14 to sandbox iMessage exploits, as part of ongoing efforts to counter zero-click threats. Users are advised to enable automatic updates and remain vigilant for official alerts, as delayed patching could leave devices vulnerable to similar attacks. (techcrunch.com) For affected individuals, especially those in high-risk professions, Apple has also expanded access to its Lockdown Mode, a feature designed to limit certain functionalities and reduce attack surfaces on iOS devices. While not a complete solution, this mode offers an additional layer of protection against targeted spyware. Meanwhile, the broader tech community awaits more transparency on the scope of the Coruna and DarkSword campaigns, as such incidents often reveal systemic challenges in securing mobile ecosystems against evolving threats. (cnet.com)