Apple almost never backports security patches to older versions of iOS. The standard position has always been simple. Update to the current version or accept the risk. For the second time in a month, Apple broke that rule. The first was Coruna, an iOS 17 exploit linked to US government tooling that spread to Russian hackers and then to cybercriminals. The second is DarkSword, a webkit exploit targeting iOS 18 devices that ended up on GitHub, got picked up by an FSB-linked group, and was found running on fake English-language sites targeting US users as recently as last week.
Both times, Apple patched the older OS instead of just telling people to upgrade. That's worth paying attention to.
With DarkSword, around a quarter of iPhone users were still on iOS 18 as of February. In the UK, iOS 26 ships with age verification features that require users to submit identity documents to access certain content. That's a government-mandated ID check built into your phone's operating system. For a lot of users, that's not a software preference. That's a reason to refuse.
Apple can't stop the UK government from mandating age verification. What it can control is whether upgrading is the only available path to a security fix. This time, it decided it wasn't. Users with auto-update enabled on iOS 18 will receive the patch automatically. Everyone else gets to choose between patching iOS 18 or moving to iOS 26.
Patrick Wardle, former NSA hacker and now CEO of Apple security firm DoubleYou, noted that the backport came after DarkSword was already being actively abused. Rocky Cole from iVerify said Apple left a large number of people vulnerable for two weeks on something severe enough to warrant faster action. Both are fair criticisms of the timeline. Neither changes the fact that backporting happened at all, which by Apple's own historical standards is the anomaly worth examining.
Apple has built its security reputation on the idea that iPhones are hardened targets, that serious exploits are rare and aimed at high-value individuals. DarkSword and Coruna appearing in the same month, both spreading beyond their original operators and reaching ordinary users, complicates that picture. Backporting fixes to older OS versions is expensive to maintain and sets a precedent Apple has spent years avoiding. Apple blinked anyway. "Just upgrade" stops working as an answer when upgrading means handing your ID to your government to use your phone.
Blackout VPN exists because privacy is a right. Your first name is too much information for us.
Keep learning
FAQ
What is backporting?
Backporting means applying a security fix to an older version of software rather than only patching the latest release. Apple has historically avoided doing this for iOS.
What is DarkSword?
DarkSword is a webkit exploit that can silently compromise iOS 18 devices when a user visits a malicious website. It spread to multiple hacker groups after being posted publicly to GitHub.
Why didn't people just upgrade to iOS 26?
Reasons varied. Some users had incompatible apps, some lacked storage space, and in the UK, iOS 26 includes age verification features that require submitting identity documents.
What is Coruna?
Coruna is a separate iOS exploitation toolkit linked to US government tooling that spread from Russian espionage hackers to cybercriminals. Apple backported fixes to iOS 17 for Coruna earlier in March.
Does the iOS 18 patch install automatically?
Users with auto-update enabled will receive the patched version of iOS 18 without doing anything. Everyone else can manually choose to patch iOS 18 or upgrade to iOS 26.