Apple expands DarkSword patch
Apple widened the iOS 18.7.7 update to cover iPhones and iPads not yet on iOS 26 after the “DarkSword” exploit allowed silent device takeover via malicious websites—unpatched devices are being targeted in the wild. Pushes and auto‑update enforcement are now urgent for managed fleets. (thehackernews.com, macrumors.com, macworld.com)
iOS 18.7.7 and iPadOS 18.7.7 were released by Apple on March 24, 2026 and Apple explicitly enabled broader availability for additional devices on April 1, 2026 so devices with Automatic Updates can receive the protections. (support.apple.com)) The DarkSword exploit chain ties together six distinct vulnerabilities — including three that were zero‑days — and was disclosed by GTIG, Lookout, and iVerify in mid‑March 2026 as a full‑chain WebKit/JavaScript toolkit that targets iOS 18.4–18.7 for silent device takeover. (cloud.google.com)) Security researchers reported that a version of the DarkSword kit was posted publicly to GitHub around March 23–24, 2026, which increased the likelihood of opportunistic use by cybercriminals beyond the original state‑grade operators. (techcrunch.com)) Google’s threat group telemetry shows DarkSword has been in use since at least November 2025 by multiple commercial surveillance vendors and suspected state actors, and at least one suspected Russian espionage cluster (UNC6353) and TA446 have been observed deploying related tooling. (cloud.google.com)) Apple’s security advisory for iOS 18.7.7 lists specific CVE fixes and notes many of the patched issues first shipped in 2025; the advisory’s March 24 changelog includes CVEs assigned to components such as AppleKeyStore, WebKit/Clipboard, CoreMedia and curl for affected devices like iPhone XS/XS Max/XR and iPad (7th gen). (support.apple.com)) Apple’s current management guidance points administrators to Declarative Device Management (DDM) and the Managed Software Updates features to control download‑then‑install workflows, while legacy ScheduleOSUpdate commands are being superseded and some remote‑install behaviors require devices to be Supervised for enforcement. (developer.apple.com)) MDM vendors document practical enforcement controls useful for fleets: options include setting a specific enforcement date, using “Latest minus N” (N‑1) enforcement, and issuing a two‑step download‑then‑install schedule — capabilities described in Jamf, SimpleMDM, and other UEM vendor docs that administrators can script into rollout plans. (support.jamf.com))
