Posted on
April 5th, 2022 by
Joshua Long
Apple has chosen to leave an estimated 35–40% of all supported Macs in danger of actively exploited vulnerabilities.
Last week, on March 31, Apple patched two “actively exploited” (i.e. in-the-wild, zero-day) security vulnerabilities for macOS Monterey.
After nearly a week, Apple still has not released corresponding security updates to address the same vulnerabilities in the two previous macOS versions, Big Sur (aka macOS 11) and Catalina (aka macOS 10.15).
Both of these macOS versions are ostensibly still receiving patches for “significant vulnerabilities”—and actively exploited zero-day vulnerabilities certainly qualify as significant. Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.
Let’s break down what the problem is, and what Apple needs to do to remedy this serious issue.
In this article:
- Which Apple operating systems remain vulnerable?
- How many Macs are affected by the new vulnerabilities?
- Has anything like this ever happened before?
- Frequently asked questions
- How can I learn more?
Which Apple operating systems remain vulnerable?
Apple’s macOS Monterey 12.3.1 update, released last week, included fixes for two actively exploited vulnerabilities: CVE-2022-22675 (a bug in AppleAVD) and CVE-2022-22674 (a bug in Intel Graphics Driver). The former remains unpatched for macOS Big Sur, and the latter appears to affect both Big Sur and Catalina.
This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina. The previous three actively exploited vulnerabilities were each patched simultaneously for Monterey, Big Sur, and Catalina.
List of all macOS Monterey-era vulnerabilities that Apple has identified as actively exploited (i.e. zero-day vulnerabilities used in in-the-wild attacks). Until now, Apple had patched them simultaneously for all three supported macOS versions. Credit: Intego.
Big Sur: CVE-2022-22675
Intego has confirmed that macOS Big Sur remains vulnerable to CVE-2022-22675, an actively exploited vulnerability in the AppleAVD component.
Last week, Mickey Jin—one of the top reporters of OS vulnerabilities to Apple—reverse engineered Apple’s patch for macOS Monterey. He then verified that macOS Big Sur does indeed still contain the same vulnerability. Jin observed that M1-based Macs running macOS Big Sur remain vulnerable to CVE-2022-22675.
We have inquired of Apple several times about this over the past week. Apple has not responded to any of our questions. It remains a mystery why Apple seems to have deliberately left macOS Big Sur susceptible to this actively exploited vulnerability. It is also unknown whether or not a patch may come eventually (either because Apple was already planning to, or due to public pressure).
Meanwhile, macOS Catalina does not contain the vulnerable component, AppleAVD, so Catalina is unaffected by CVE-2022-22675 specifically.
Incidentally, according to Jin, it appears that iOS 14 and iPadOS 14 are also vulnerable to CVE-2022-22675. However, Apple officially (albeit quietly, and without warning) stopped supporting iOS and iPadOS 14 in January 2022, so it is no surprise that users must upgrade to the latest version of iOS 15 or iPadOS 15 to continue getting security updates. Last week’s iOS and iPadOS 15.4.1 updates—which are compatible with all devices running iOS or iPadOS 14—provide a fix for CVE-2022-22675.
By contrast, macOS Monterey and macOS Big Sur each dropped support for certain Mac hardware, so some Mac users cannot upgrade beyond Catalina or Big Sur to receive security updates that are currently only offered in Monterey.
Big Sur and Catalina: CVE-2022-22674
It is highly likely that macOS Big Sur and macOS Catalina are both vulnerable to CVE-2022-22674, the other actively exploited vulnerability that was fixed for only macOS Monterey last week.
Intego is actively working to confirm that Big Sur and Catalina are affected. Unfortunately, Apple has neither issued a statement nor responded to our inquiries. Apple’s patch notes indicate that CVE-2022-22674 was reported by an “anonymous researcher,” making it difficult to independently and conclusively confirm whether the vulnerability affects previous macOS versions without reverse engineering Apple’s Monterey patch.
However, we have high confidence that CVE-2022-22674 likely affects both macOS Big Sur and macOS Catalina. Nearly all vulnerabilities in the Intel Graphics Driver component in recent years have affected all versions of macOS.
For reference, a list of Intel Graphics Driver vulnerabilities that Apple patched while Big Sur was the latest macOS. Apple’s patches indicate that nearly all Intel Graphics Driver vulnerabilities were present in all macOS versions. Credit: Intego.
Until Apple’s Monterey patch for CVE-2022-22674 can be reverse-engineered, past experience is a strong indicator that the vulnerability is highly likely to be present in both Big Sur and Catalina. The lack of patches for these operating systems leaves them highly susceptible to attacks that target this actively exploited vulnerability.
Other vulnerabilities in Big Sur and Catalina
The main focus of this article is to point out the existence of the two new, actively exploited vulnerabilities in macOS Big Sur and Catalina. However, it’s worth mentioning that there are also dozens of vulnerabilities that Apple has not identified as actively exploited, that remain in macOS Big Sur and Catalina.
Quick update: #Saf
