Apple has patched two actively exploited macOS vulnerabilities tracked as CVE-2022-22675 and CVE-2022-22674 in macOS Monterey. However, the fixes only apply to Monterey and not Big Sur or Catalina, two older versions of the current macOS.
Security firm Intego reports that both older operating systems are still at risk. The issues are related to AppleAVD, affecting only Big Sur and an Intel graphics driver flaw affecting Big Sur and Catalina. Since Monterey’s release, this is also the first time that Apple has failed to patch any actively exploited flaws for older versions of its desktop operating system.
Security researcher Mickey Jin has confirmed that M1-based Macs running Big Sur are, in fact, vulnerable to the AppleAVD bug. Devices running iOS 14 and iPadOS 14, which Apple stopped supporting in January, are also affected by the exploit.
In the News: Apple’s online WWDC 2022 begins on June 6
Breaking a decade long precedence
The AppleAVD bug tracked as CVE-2022-22675 is an out-of-bounds write bug that allows malicious code execution with kernel-level permissions. macOS Catalina isn’t impacted by this bug simply because it doesn’t have the AppleAVD component for decoding audio and video in the first place.
The Intel graphics driver flaw (CVE-2022-22674) Intego reports high confidence that Big Sur and Catalina are affected. The firm, however, is still working to confirm whether or not these macOS versions are affected, with Apple’s patch notes only stating that an anonymous researcher reported the vulnerability.
Apple has actively maintained the practice of patching the previous two macOS versions alongside the current macOS version for nearly a decade now. Unlike Windows, which has a limited lifecycle policy, Apple uses hardware obsolescence dates instead.
Support for macOS Catalina will end around November 2022, while Big Sur is expected to stop receiving support from Apple around November 2023. Apple hasn’t patched these vulnerabilities in these two versions, which means that around 35 to 40% of Macs currently in use are vulnerable to one or both of these exploits.