Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
-
@mttaggart Nothing explicit, but reading between the lines…
iOS 26 has been fixed. iOS 18 for devices that can’t run iOS 26 has been fixed. And those who can run iOS 26 but don’t want to? [Conspicuous silence.]
Hundreds of Millions of iPhones Can Be Hacked With a New Tool Found in the Wild
A powerful iPhone-hacking technique known as DarkSword has been discovered in use by Russian hackers. It can take over devices running iOS 18 that simply visit infected websites.
WIRED (www.wired.com)
@gknauss I think the thing is to move to 18.7.3, which is patched.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.
I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog
DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.
Google Cloud Blog (cloud.google.com)
-
@gknauss I think the thing is to move to 18.7.3, which is patched.
For devices running versions of iOS prior to 18.6, DarkSword uses CVE-2025-31277, a JIT optimization/type confusion bug which was patched by Apple in iOS 18.6. For devices running iOS 18.6-18.7, DarkSword uses CVE-2025-43529, a garbage collection bug in the Data Flow Graph (DFG) JIT layer of JavaScriptCore which was patched by Apple in iOS 18.7.3 and 26.2 after it was reported by GTIG. Both exploits develop their own fakeobj/addrof primitives, and then build arbitrary read/write primitives the same way on top of them.
I'm unaware of a compelling reason or hardware limitation to not upgrade from 18.6 to 18.7
The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors | Google Cloud Blog
DarkSword is a new iOS exploit chain that leverages multiple zero-day vulnerabilities to fully compromise iOS devices.
Google Cloud Blog (cloud.google.com)
@mttaggart 18.7.X isn’t offered to me, since I’m on a iPhone 15 Pro. It’s either up to 26 or staying at 18.6.2.
-
@mttaggart 18.7.X isn’t offered to me, since I’m on a iPhone 15 Pro. It’s either up to 26 or staying at 18.6.2.
@gknauss Ah I see, and you'd rather not run into the Liquid Glass ceiling. That does seem to be an issue!
-
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss I have to agree. there was a patch that went very, very wrong in windows 11 this patch tuesday. Or was it last month? anyway MS just released a fix last week. Taht was indeed fast.
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
-
Apparently, Apple isn’t going to patch iOS 18.6.2, meaning I either risk my information with DarkSword or my sanity with iOS 26.
Say what you want about Microsoft — please! use profanity! — but they wouldn’t let a zero-interaction, full-exfil bug go unfixed on a seven month old release.
@gknauss they still might drop one, but apparently priority was 26.4 getting out the door. if they do it's might be like in between 26.5b2 and 3 or something weird like that
-
@gknauss they still might drop one, but apparently priority was 26.4 getting out the door. if they do it's might be like in between 26.5b2 and 3 or something weird like that
@ppb1701 That they’ve already released 18.7.3 for phones that can’t upgrade to 26 but nothing for those that can does not bode well, alas. “Upgrade to 26” is the current recommendation, which just happens to suit their interests (and not mine).
-
@ppb1701 That they’ve already released 18.7.3 for phones that can’t upgrade to 26 but nothing for those that can does not bode well, alas. “Upgrade to 26” is the current recommendation, which just happens to suit their interests (and not mine).
@gknauss nope that doesn't bode well. I do think they will eventually patch it...but it does seem more like they wanna say. "Sure it's patched, do the update to 26"
-
@gknauss Ah I see, and you'd rather not run into the Liquid Glass ceiling. That does seem to be an issue!
@mttaggart @gknauss same for SE 2022 (funnily, my SE 2016 does get patched…)
-
@gknauss worse, it’ll patch it, just not for phones that can run 26
@jsnell @gknauss @mttaggart call customer support and file one at https://www.apple.com/feedback/iphone/
if they get even 10 million requests, maybe they begin to think
-
@mttaggart 18.7.X isn’t offered to me, since I’m on a iPhone 15 Pro. It’s either up to 26 or staying at 18.6.2.
@gknauss @mttaggart Try opting into the iOS 18 public beta from the software update settings. It should offer 18.7.3 as an update, and being on that beta branch will prevent iOS 26 from appearing as well.
I did this when 18.7.3 came out since it wasn’t offered as “normal” update, just a final release on the beta branch. 18.7.4 on do seem to be exclusive to older devices though.
