Apple is now directly notifying users of iPhones and iPads running older software versions about active web-based attacks. These critical alerts, appearing on the lock screen, urge immediate updates to protect devices from exploitation by known threat kits like Coruna and DarkSword. This proactive measure highlights the company's concern over the exploitation of unpatched vulnerabilities.

Key Takeaways

• Apple is sending direct lock screen notifications to iPhones and iPads with outdated iOS/iPadOS versions.

• These alerts warn of active cyberattacks exploiting known vulnerabilities.

• Exploit kits like Coruna and DarkSword are actively targeting older iOS versions.

• Users are urged to install critical software updates immediately to protect their data.

• Even visiting a malicious website or clicking a link can lead to data theft on unpatched devices.

Active Exploitation of Older iOS Versions

Apple has begun sending "Critical Software" notifications directly to the lock screens of iPhones and iPads running outdated versions of iOS and iPadOS. These alerts explicitly state that Apple is aware of attacks targeting these older software versions and strongly recommends installing the latest updates to safeguard the device. This move signifies an escalation in Apple's communication strategy, moving beyond typical in-app reminders to ensure users are aware of immediate threats.

The notifications are appearing on a range of older iOS versions, including iOS 17.0, extending beyond the specific versions previously highlighted in Apple's support documentation. This indicates that a broader spectrum of older devices is currently at risk.

Coruna and DarkSword Exploit Kits

These alerts are directly linked to the ongoing exploitation of vulnerabilities by sophisticated exploit kits, namely Coruna and DarkSword. These kits are designed to take advantage of weaknesses present in iOS versions ranging from iOS 13 up to iOS 17.2.1. The danger lies in the minimal interaction required for these attacks; simply visiting a compromised website or clicking on a malicious link can be enough for attackers to exploit vulnerabilities and potentially steal sensitive user data.

Kaspersky researchers have noted that the Coruna exploit kit is an evolution of the framework used in the 2023 Operation Triangulation campaign, suggesting a sophisticated and continuously maintained threat. The emergence and potential wider availability of such kits raise concerns about their democratization, potentially turning them into mass-exploitation tools.

Immediate Action Recommended

Apple has been actively patching these vulnerabilities over the past few months. Recent updates, such as iOS 15.8.7 and iOS 16.7.15, were released to address security issues associated with these exploit kits. Devices running the latest updated versions of iOS 15 through iOS 26 are generally protected, provided users keep their software up-to-date. Safari's Safe Browsing feature, enabled by default, also helps block known malicious domains.

However, the effectiveness of these patches relies on users actually installing them. For devices that cannot update to the latest versions, Apple recommends enabling Lockdown Mode, if available, as an additional layer of protection against malicious web content. Users are strongly advised to navigate to Settings > General > Software Update to install the latest available version of iOS or iPadOS to ensure their data remains secure from these evolving threats.

Sources

• Apple Sends Lock Screen Alerts to Outdated iPhones Over Active Web-Based Exploits, The Hacker News.

• Apple issues urgent lock screen warnings for unpatched iPhones and iPads, Security Affairs.

• Apple Now Sending Critical Security Alerts to iPhones Running iOS 17 and Earlier, MacRumors.

• Apple Sends Critical Security Alerts to Outdated iPhones and iPads, The Mac Observer.

• Don't Ignore This Security Alert Apple Sent to iPhone Lock Screens, Bitdefender.