Between 35% and 40% of all supported Macs might be at heightened risk of compromise from two zero-day vulnerabilities that Apple has said are being exploited in the wild, but for which the company has not yet issued a patch.
Apple disclosed the two vulnerabilities — CVE-2022-22675 and CVE-2022-22674 — last week and described them as impacting devices running its macOS, iOS, and iPadOS operating systems. The company released updated versions of the software that addressed the issue for users of Apple’s latest macOS Monterey and iOS 15 and iPadOS 15 operating systems.
However, in a break from its usual practice, Apple appears, so far at least, not to have released a corresponding fix for the flaws in the two immediately preceding versions of the macOS — Big Sur and Catalina — says Joshua Long, chief security analyst at Intego.
This marks the first time since Apple released macOS Monterey last October that the company has not issued a patch for actively exploited vulnerabilities in Big Sur and Catalina, Long says. On three occasions before this — in Oct. ’21, Jan. ’22, and Feb. ’22 — the company issued simultaneous patches for Big Sur and Catalina to address bugs that were being actively exploited in IO Mobile Frame buffer (twice) and in WebKit.
In fact, Apple has made it a practice for nearly a decade to patch the previous two macOS versions every time it has issued a significant update for the current macOS, he notes.
Intego made several attempts to get an explanation from Apple, but the company has so far not responded he says. Apple did not respond to a Dark Reading request for comment on Intego’s report, either.
Long says that by Intego’s estimates — based on pre-Catalina macOS adoption rates — some 35% to 40% of Macs in active use currently are running macOS Big Sur or older and therefore remain vulnerable to the two zero-day threats. Long says it’s not clear why Apple might have deviated from its usual patch release practices this time around. Nor is it clear if the company even has a plan to address the problem in Big Sur and Catalina.
Patching Policy Unclear
“Apple has never publicly stated their patching policy, beyond saying way back in 2003 that ‘it is Apple’s policy to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible,'” Long notes. What the company has not made clear is what exactly it defines as a significant threat. “But one would assume that a zero-day vulnerability that’s being actively exploited in the wild to be ‘significant’ by anyone’s standards,” he says.
CVE-2022-22675 stems from an out-of-bounds write issue in the AppleAVD media file decoder. It impacts multiple supported iOS, macOS, and iPadOS versions and gives attackers a way to execute malicious code at the kernel level. The other flaw — CVE-2022-22674 — is tied to an out-of-bounds read issue in an Intel Graphics Driver component and could result in the content of kernel memory being disclosed to attackers. This flaw exists in macOS versions only.
Long says Intego was able to confirm that Big Sur is vulnerable to CVE-2022-22675 by reverse-engineering the patch that Apple released for the flaw for macOS Monterey.
“Catalina is not impacted by CVE-2022-22675 because it doesn’t have the affected component,” he says. Intego has not yet reversed-engineered the patch for CVE-2022-22674, so the company has not been able to confirm if the vulnerability is present in Big Sur and Catalina.
But it is very highly likely the vulnerability impacts those two operating systems as well. That’s because nearly every single vulnerability in the Intel Graphics Driver component in recent years has impacted all versions of macOS. There’s no reason to believe the present vulnerability is any different, according to Long.
Intego said that there are dozens of other vulnerabilities in Big Sur and Catalina that Apple has not addressed over the years.
Apple, like many other major software vendors, has had its share of criticism in the past over its patching practices and what many perceive as its reluctance to share detailed information on critical security issues. Last November, security vendor Malwarebytes slammed the company for taking some seven months to address a serious vulnerability in Catalina even though the flaw was being exploited for months. Malwarebytes described the incident as an example of Apple’s unreliability when it comes to fixing anything but the latest versions of its operating systems and software.