![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2021\/01\/Finder-icon-macOS-Big-Sur-sad-face.png\"){kind=icon}
<\/p>\n<\/p>\n
Update:<\/em> After 6.5 weeks\u2014and significant public pressure resulting from this article\u2014Apple finally released patches\u00a0<\/span>for<\/span>\u00a0<\/span>macOS Big Sur<\/a>\u00a0<\/span>and<\/span>\u00a0<\/span>macOS Catalina<\/a> on May 16 that <\/span>address these actively exploited vulnerabilities<\/span>.<\/span><\/p>\n Apple has chosen to leave an estimated 35\u201340% of all supported Macs in danger of actively exploited vulnerabilities.<\/strong><\/p>\n Last week, on March 31, Apple patched<\/a> two \u201cactively exploited\u201d (i.e. in-the-wild, zero-day) security vulnerabilities for macOS Monterey.<\/p>\n After nearly a week, Apple still has not released corresponding security updates to address the same vulnerabilities in the two previous macOS versions, Big Sur (aka macOS 11) and Catalina (aka macOS 10.15).<\/p>\n Both of these macOS versions are ostensibly still receiving patches for “significant vulnerabilities”\u2014and actively exploited zero-day vulnerabilities certainly qualify as significant. Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.<\/p>\n Let’s break down what the problem is, and what Apple needs to do to remedy this serious issue.<\/p>\n In this article:<\/em><\/p>\n Apple’s macOS Monterey 12.3.1 update<\/a>, released last week, included fixes for two actively exploited vulnerabilities: CVE-2022-22675 (a bug in AppleAVD) and CVE-2022-22674 (a bug in Intel Graphics Driver). The former remains unpatched for macOS Big Sur, and the latter appears to affect both Big Sur and Catalina.<\/p>\n This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina. The previous three actively exploited vulnerabilities were each patched simultaneously for Monterey, Big Sur, and Catalina.<\/p>\n <\/a> List of all macOS Monterey-era vulnerabilities that Apple has identified as actively exploited (i.e. zero-day vulnerabilities used in in-the-wild attacks). Until now, Apple had patched them simultaneously for all three supported macOS versions. Credit: Intego.<\/p><\/div>\n Last week, Mickey Jin<\/a>\u2014one of the top reporters of OS vulnerabilities to Apple\u2014reverse engineered Apple’s patch for macOS Monterey. He then verified that macOS Big Sur does indeed still contain the same vulnerability. Jin observed<\/a> that M1-based Macs running macOS Big Sur remain vulnerable to CVE-2022-22675.<\/p>\n We have inquired of Apple several times about this over the past week. Apple has not responded to any of our questions. It remains a mystery why Apple seems to have deliberately left macOS Big Sur susceptible to this actively exploited vulnerability. It is also unknown whether or not a patch may come eventually (either because Apple was already planning to, or due to public pressure).<\/p>\n Meanwhile, macOS Catalina does not contain the vulnerable component, AppleAVD, so Catalina is unaffected by CVE-2022-22675 specifically.<\/p>\n Incidentally, according to Jin, it appears that iOS 14 and iPadOS 14 are also vulnerable to CVE-2022-22675<\/strong>. However, Apple officially (albeit quietly, and without warning) stopped supporting iOS and iPadOS 14 in January 2022<\/a>, so it is no surprise that users must upgrade to the latest version of iOS 15 or iPadOS 15 to continue getting security updates. Last week’s iOS and iPadOS 15.4.1 updates<\/a>\u2014which are compatible with all devices running iOS or iPadOS 14\u2014provide a fix for CVE-2022-22675.<\/p>\n By contrast, macOS Monterey and macOS Big Sur each dropped support for certain Mac hardware, so some Mac users cannot upgrade beyond Catalina or Big Sur to receive security updates that are currently only offered in Monterey.<\/a><\/p>\n Intego is actively working to confirm that Big Sur and Catalina are affected. Unfortunately, Apple has neither issued a statement nor responded to our inquiries. Apple’s patch notes indicate that CVE-2022-22674 was reported by an “anonymous researcher,” making it difficult to independently and conclusively confirm whether the vulnerability affects previous macOS versions without reverse engineering Apple’s Monterey patch.<\/p>\n However, we have high confidence that CVE-2022-22674 likely affects both macOS Big Sur and macOS Catalina.<\/strong> Nearly all vulnerabilities in the Intel Graphics Driver component in recent years have affected all versions of macOS.<\/p>\n For reference, a list of Intel Graphics Driver vulnerabilities that Apple patched while Big Sur was the latest macOS. Apple’s patches indicate that nearly all Intel Graphics Driver vulnerabilities were present in all macOS versions. Credit: Intego.<\/p><\/div>\n Until Apple’s Monterey patch for CVE-2022-22674 can be reverse-engineered, past experience is a strong indicator that the vulnerability is highly likely to be present in both Big Sur and Catalina. The lack of patches for these operating systems leaves them highly susceptible to attacks that target this actively exploited vulnerability.<\/a><\/p>\n Quick update: #Safari<\/a> 15.1 was released for Big Sur & Catalina yesterday, & its release notes indicate that 5 of the 7 #WebKit<\/a> vulnerabilities were fixed. Two appear to remain unpatched for 11.x and 10.15.x: CVEs 2021-30823 (Gullasch @0x41414141<\/a>) & 2021-30861 (@_r3ggi<\/a> & Pickren).<\/p>\n — Josh Long (the\u00a0JoshMeister) (@theJoshMeister) October 28, 2021<\/a><\/p><\/blockquote>\n\n
\n
Which Apple operating systems remain vulnerable?<\/h3>\n
![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/04\/actively-exploited-macos-monterey-vulnerabilities-20220404.png\")
\nBig Sur: CVE-2022-22675
\n<\/strong><\/h4>\n
\nIntego has confirmed that macOS Big Sur remains vulnerable to CVE-2022-22675<\/strong>, an actively exploited vulnerability in the AppleAVD component.<\/p>\n
\nBig Sur and Catalina: CVE-2022-22674
\n<\/strong><\/h4>\n
\nIt is highly likely that macOS Big Sur and macOS Catalina are both vulnerable to CVE-2022-22674, the other actively exploited vulnerability that was fixed for only macOS Monterey last week.<\/span><\/p>\n![\"\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2022\/04\/macos-big-sur-era-intel-graphics-driver-vulnerabilities.png\")
\nOther vulnerabilities in Big Sur and Catalina<\/strong><\/h4>\n
\nThe main focus of this article is to point out the existence of the two new, actively exploited vulnerabilities in macOS Big Sur and Catalina. However, it’s worth mentioning that there are also dozens of vulnerabilities that Apple has not<\/em> identified as actively exploited, that remain in macOS Big Sur and Catalina.<\/span><\/p>\n\n