Software security company Intego estimates around 35-40% of all Mac computers are currently vulnerable to zero-days Apple ‘neglected’ to patch.
The two actively exploited zero-day vulnerabilities were addressed by Apple in an earlier security fix, but it failed to release patches for older versions of macOS, namely Big Sur and Catalina.
Apple released an emergency patch for two zero-days last week, tracked as CVE-2022-22674 and CVE-2022-22675, both of which Apple said was under active exploitation.
Both security vulnerabilities affected macOS and the latter (CVE-2022-22675) also affected iOS and iPadOS too, said Joshua Long, chief security analyst at Intego. Some older versions such as iOS 14 were also neglected in last week’s patch but this could be explained by Apple “quietly” ending support for iOS 14 in January 2022.
“Both of these macOS versions are ostensibly still receiving patches for ‘significant vulnerabilities’ – and actively exploited zero-day vulnerabilities certainly qualify as significant,” said Long in a blog post.
“Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.”
Long said Catalina does not have the vulnerable component, AppleAVD, involved in CVE-2022-22675 so is not vulnerable to this specifically. However, it is believed to be vulnerable to CVE-2022-22674 and Big Sur is believed to be vulnerable to both.
Apple has reportedly not responded to Intego’s requests for clarity on why the older macOS versions have not received the security patches, despite still receiving security updates more generally.
Long pointed out that this isn’t the first time Apple has neglected older macOS versions in security updates. According to the security analyst, Apple failed to patch two out of the total seven WebKit vulnerabilities found in Safari back in October for macOS Big Sur and Catalina too.
“A preliminary assessment of just the first round of patches at macOS Monterey’s release in October 2021 indicated that there may have already been well over a dozen vulnerabilities that were not patched for previous macOS versions,” said Long.
Back when Big Sur was the newest macOS version running on Apple computers, the researcher’s analysis showed less than half of the hundreds of security vulnerabilities known at the time were fixed for the then-three most recent macOS versions.
Around 16% were patched for the most recent two versions and 34% were patched only for the most recent, Big Sur.
Modernise your server infrastructure for speed and security
Infrastructure lifecycle automation paves the way for an adaptive, resilient organisation
Hybrid cloud: A smart choice for AI and HPC
Drive business benefits while solving top challenges
Work from anywhere: Empowering the future of work
Employees want to work from anywhere, IT needs to be able to support this shift
The state of SD-WAN, SASE and zero trust security architectures
Be a leader in the deployment of zero trust, SD-WAN and SASE