Apple patched two actively exploited vulnerabilities in macOS Monterey last week , but Intego analysts emphasize that the company left users of older supported versions of its OS, i.e. Big Sur and Catalina, unprotected.
We are talking about vulnerabilities CVE-2022-22674 (a problem in the AppleAVD media decoder code) and CVE-2022-22675 (out-of-bounds entry in the Intel Graphics Driver).
Intego expert Joshua Long writes that the AppleAVD issue remains unfixed in macOS Big Sur (Catalina is not affected at all as it lacks the AppleAVD component). Also, according to him, the vulnerability in the Intel Graphics Driver affects both Big Sur and Catalina, but in both cases, the OS was left without patches.
Let me remind you that support for macOS Catalina should end around November 2022, and macOS Big Sur should end in November 2023. But Apple has very clear deadlines for the obsolescence of its hardware, and says little about macOS support policies. Typically, the company maintains an active release of macOS for about a year, and in parallel publishes updates and patches for the previous two releases of the OS. But it looks like something has changed.
“This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities in Big Sur and Catalina,” says Long. “The previous three actively exploited vulnerabilities were addressed simultaneously for Monterey, Big Sur and Catalina.”
At the same time, Apple representatives do not explain why the company suddenly left old versions of macOS without patches, and Long notes that as a result, approximately 35-40% of Macs currently in use are vulnerable to one or both errors.
Long adds that there are dozens of other vulnerabilities in Big Sur and Catalina that are simply not exploited as actively by hackers.
“Apple has an unfortunate history of deliberately leaving “supported” versions of macOS unprotected from some actively exploited issues. Such situations, when the vendor simply decides not to release patches, are sometimes called “eternal 0-day vulnerabilities,” the expert sums up.