Apple recently released two emergency patches to fix two actively exploited zero-days in Apple’s macOS and iOS (reported anonymously). The company said the flaws have been exploited in the wild.
The vulnerabilities have been fixed in iOS and iPadOS 15.4.1, macOS Monterey 12.3.1, tvOS 15.4.1, and watchOS 8.5.1. However, it turns out that Apple has left out machines running Bug Sur and Catalina.
Apple Leaves Big Sur and Catalina Unpatched
An Intego report says that the company “has chosen to leave an estimated 35–40% of all supported Macs in danger of actively exploited vulnerabilities.” A week after the bugs were disclosed, Apple still hasn’t released corresponding security updates to fix the same issues in the two previous macOS versions, Big Sur (macOS 11) and Catalina (macOS 10.15), Intego said.
“Both of these macOS versions are ostensibly still receiving patches for “significant vulnerabilities”—and actively exploited zero-day vulnerabilities certainly qualify as significant,” the researchers added. Even though the company has displayed the healthy behavior of patching the two previous versions of its OS alongsing Monterey, but now it has neglected to patch them against actively exploited zero-days.
Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.
CVE-2022-22675 is an out-of-band write vulnerability located in the audio and video decoding component called AppleAVD. The vulnerability could lead to arbitrary code execution (also known as remote code execution) with kernel privileges.
CVE-2022-22674 is an out-of-bounds read issue in the Intel Graphics Driver module. The issue could enable malicious actors to read kernel memory.
The macOS Monterey 12.3.1 update, which was released last week, included fixes for the two zero-days (CVE-2022-22675 and CVE-2022-22674). The former remains unpatched for macOS Big Sur, and the latter appears to affect both Big Sur and Catalina, Intego warned.