Apple Misses Fixing Zero-Day Issues in macOS Big Sur, Catalina

Apple appears to have ignored macOS Big Sur and macOS Catalina while fixing two zero-day vulnerabilities that it patched in macOS Monterey 12.3.1 last week. The issues were found in Apple’s audio and video decoding framework AppleAVD and the Intel graphics driver. Separately, Apple has released the first public beta of macOS Monterey 12.4 just a day after providing the update to developers. Exact details on when the new macOS release will be available to users publicly are yet to be revealed, though.

Security software maker Intego estimated in a blog post that by not fixing the two known zero-day vulnerabilities, Apple has chosen to make 35–40 percent of all supported Mac machines vulnerable to attacks. The vulnerabilities that were recorded as CVE-2022-22675 and CVE-2022-22674 were fixed for the users on macOS Monterey through the latest update that was released last week.

The CVE-2022-22675 is related to a bug affecting the AppleAVD framework that could help attackers gain kernel privileges by using an app to execute arbitrary code, while the CVE-2022-22674 is for the flaw that existed in the Intel Graphics driver. The latter could allow apps to read kernel memory.

At the time of recording the security fixes last week, Apple wrote on its support page that it was aware of reports that the issues might “have been actively exploited” by attackers.

However, the Cupertino giant has still not released the same fixes for its users on older macOS versions.

Intego said that this was the first time since the release of macOS Monterey that Apple neglected to patch actively exploited vulnerabilities for macOS Big Sur and macOS Catalina users.

The vulnerability CVE-2022-22675 also exists in iOS 14 and iPadOS 14, Intego said, citing security analyst Mickey Jin. However, Apple stopped supporting both software versions in January, so a large number of users seem to have already moved to iOS 15 or iPadOS 15 — depending on the devices they have.

The systems on macOS Big Sur and Catalina are, though, still eligible for receiving security updates. It is, thus, unclear why Apple didn’t release patches for those systems this time.

Gadgets 360 has reached out to Apple for a comment on the matter and will update this article when the company responds.

Intego said that Apple had not responded to its requests to update older macOS versions.

While macOS Big Sur and Catalina machines are yet to receive the latest security patch, Apple has released the first public beta of its macOS Monterey 12.4 to test its new operating system version. The update comes just a day after the beta release was made available to developers.

Details on what features macOS Monterey 12.4 public beta brings to users are yet to be revealed. However, the release notes do say that the Universal Control in the new iPadOS 15.5 and macOS Monterey 12.4 updates is not compatible with machines running macOS 12.3 or iPadOS 15.4, as reported by MacRumors.

This means that users updating their Mac machines to the latest beta release need to install the first beta release of iPadOS 15.5 on their iPad to use the Universal Control feature.

The first developer beta release of iPadOS 15.5 is available alongside the iOS 15.5 beta 1.

Users who have enrolled for the public beta testing can look for the macOS Monterey 12.4 release by going to System Preferences > Software Update after clicking on the Apple menu icon. New users can enrol in the Apple Beta Software Programme from the Apple site. It is important to point out that beta releases are meant specifically for testing purposes and are likely to introduce bugs.

Affiliate links may be automatically generated – see our ethics statement for details.

Leave a Comment