Apple has released iOS 18.7.7 and iPadOS 18.7.7, expanding protections against the DarkSword iPhone exploit chain to a wider range of devices while patching multiple newly disclosed vulnerabilities.
The updates were initially issued on March 24, 2026, and Apple re-released them on April 1 to extend availability and ensure more users receive critical defenses against ongoing web-based attacks linked to DarkSword.
Apple rarely revisits point updates unless there is a compelling security reason. In this case, the expanded rollout is directly tied to DarkSword, a sophisticated exploit framework uncovered in March 2026 and observed in real-world attacks targeting iPhones via compromised websites.
DarkSword was documented by researchers at Lookout, iVerify, and Google’s Threat Intelligence Group, who traced its use in watering-hole campaigns affecting users in Ukraine, Saudi Arabia, Turkey, and Malaysia. The framework chains together six vulnerabilities to achieve full device compromise, moving from Safari-based code execution to kernel-level access and deploying data-stealing malware such as GHOSTBLADE.
While Apple had already addressed the underlying vulnerabilities across earlier updates, starting in late 2025 and continuing through iOS 18.7.x and iOS 26, this latest release ensures those protections reach devices that may not have been fully covered or updated.
In addition to expanding DarkSword mitigations, iOS 18.7.7 fixes a broad set of security flaws across system components, many of which could be exploited by malicious apps or specially crafted web content.
Notable patches include:
- CVE-2026-28865 (802.1X): A network-positioned attacker could intercept traffic due to an authentication issue.
- CVE-2026-20637 (AppleKeyStore): A use-after-free flaw that could trigger system crashes.
- CVE-2026-28866 (Clipboard): Allowed apps to access sensitive user data due to improper symlink validation.
- CVE-2026-20690 (CoreMedia): Malicious media files could cause a process to terminate via out-of-bounds access.
- CVE-2025-43534 (iTunes Store): A physical attacker could bypass Activation Lock.
- Multiple Kernel flaws, including memory disclosure, state leakage, and memory corruption issues that could lead to crashes or elevated impact.
- WebKit vulnerabilities that allow cross-site scripting, bypass the Same Origin Policy, leak DNS queries even with Private Relay enabled, and improperly enforce Content Security Policy.
Although Apple states that fully updated devices are already protected against DarkSword attacks, this release brings fixes to more devices that weren’t eligible for previous rounds of patches. Enabling automatic updates should deliver the fixes on qualifying iPhones now.
Leave a Reply