Apple Expands “DarkSword” Patch to iOS 18.7.7, Shielding Hundreds of Millions of Devices
What Happened — Apple released an expanded iOS 18.7.7 update that patches the six‑vulnerability “DarkSword” exploit chain, which allowed remote code execution from a single malicious website visit. The update now covers older iPhone XS/XS Max/XR and 7th‑gen iPad models that were previously left on vulnerable iOS 18 builds.
Why It Matters for TPRM —
- A widely‑publicized exploit chain targeting core Apple frameworks (WebKit, Safari, dynamic loader, kernel) can compromise any unpatched device, exposing corporate data and credentials.
- The vulnerability affects consumer‑grade devices that many enterprises allow for BYOD or mobile‑device‑management (MDM) programs, creating a supply‑chain risk.
- Timely patch adoption is essential to prevent lateral movement from compromised devices into corporate networks.
Who Is Affected — Consumer electronics (iPhone, iPad) used in BYOD, enterprise MDM, and mobile‑first business models; sectors with high mobile reliance such as finance, healthcare, retail, and field services.
Recommended Actions —
- Verify that all managed iOS devices are running iOS 18.7.7 or later, or have upgraded to iOS 26.x where supported.
- Enforce automatic update policies via MDM solutions.
- Conduct a rapid inventory of devices still on vulnerable iOS 18.x builds and prioritize remediation.
- Review endpoint detection rules for known DarkSword indicators of compromise (IoCs).
Technical Notes — DarkSword strings together six vulnerabilities across WebKit, Safari, the dynamic loader, and the kernel; several were zero‑day at the time of discovery. The exploit requires only a malicious web page load, no user interaction beyond visiting the site. Apple’s March 24 bulletin initially covered a subset of devices; the April expansion broadens coverage to older hardware still on iOS 18.
Source: Malwarebytes Labs – Apple expands “DarkSword” patches to iOS 18.7.7