Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
-
R relay@relay.infosec.exchange shared this topic
M mttaggart@infosec.exchange shared this topic
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss Hey! Do you have a source for this?
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss worse, it’ll patch it, just not for phones that can run 26
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss which are you choosing, Sophie?
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss
I’ve been one of the very reluctant upgradees to 26, but I bit the bullet last week on iPhone & iPad &…it’s all fine. I even like the (subdued) glass. -
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss Yes, they would.
"This vulnerability is completely theoretical."
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss >letting malware hackers force your new UI that people hate on them
It's a bold strategy Cotton, let's see if it pays off for 'em…
-
@gknauss worse, it’ll patch it, just not for phones that can run 26
@jsnell If they hasn’t throttled the CPU because of the battery, I’d still be on my iPhone 6.
AND NOBODY WOULD BE ON MY LAWN.
-
@gknauss worse, it’ll patch it, just not for phones that can run 26
-
@gknauss Hey! Do you have a source for this?
@mttaggart Nothing explicit, but reading between the lines…
iOS 26 has been fixed. iOS 18 for devices that can’t run iOS 26 has been fixed. And those who can run iOS 26 but don’t want to? [Conspicuous silence.]
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites.
WIRED (www.wired.com)
-
@mttaggart Nothing explicit, but reading between the lines…
iOS 26 has been fixed. iOS 18 for devices that can’t run iOS 26 has been fixed. And those who can run iOS 26 but don’t want to? [Conspicuous silence.]
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites.
WIRED (www.wired.com)
@gknauss I think the thing is to move to 18.7.3, which is patched.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.
I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
-
@gknauss I think the thing is to move to 18.7.3, which is patched.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.
I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7
https://cloud.google.com/blog/topics/threat-intelligence/darksword-ios-exploit-chain/
@mttaggart 18.7.X isn’t offered to me, since I’m on a iPhone 15 Pro. It’s either up to 26 or staying at 18.6.2.
-
@mttaggart 18.7.X isn’t offered to me, since I’m on a iPhone 15 Pro. It’s either up to 26 or staying at 18.6.2.
@gknauss Ah I see, and you'd rather not run into the Liquid Glass ceiling. That does seem to be an issue!
-
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss I have to agree. there was a patch that went very, very wrong in windows 11 this patch tuesday. Or was it last month? anyway MS just released a fix last week. Taht was indeed fast.
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss they still might drop one, but apparently priority was 26.4 getting out the door. if they do it's might be like in between 26.5b2 and 3 or something weird like that
-
@gknauss they still might drop one, but apparently priority was 26.4 getting out the door. if they do it's might be like in between 26.5b2 and 3 or something weird like that
@ppb1701 That they’ve already released 18.7.3 for phones that can’t upgrade to 26 but nothing for those that can does not bode well, alas. “Upgrade to 26” is the current recommendation, which just happens to suit their interests (and not mine).
-
@ppb1701 That they’ve already released 18.7.3 for phones that can’t upgrade to 26 but nothing for those that can does not bode well, alas. “Upgrade to 26” is the current recommendation, which just happens to suit their interests (and not mine).
@gknauss nope that doesn't bode well. I do think they will eventually patch it...but it does seem more like they wanna say. "Sure it's patched, do the update to 26"
-
@gknauss Ah I see, and you'd rather not run into the Liquid Glass ceiling. That does seem to be an issue!
@mttaggart @gknauss same for SE 2022 (funnily, my SE 2016 does get patched…)
