Apple has not patched two known vulnerabilities in macOS Big Sur and Catalina, despite signals that the bug is being actively exploited. The vulnerability has been fixed in the new Monterey, but older versions remain, security researchers say.
Apple released on March 31 macOS Monterey 12.3.1 off. In it, the company repaired two zero days. Both CVE-2022-22675 if CVE-2022-22654 was actively abused, according to Apple, but no details are known about that abuse. The first vulnerability is in AppleAVD. The out-of-bounds-write vulnerability made it possible to execute code with kernel privileges. The second vulnerability is slightly less serious. This is a vulnerability in the Intel Graphics driver that makes it possible to read the kernel memory.
The vulnerabilities have been fixed in macOS Monterey, but not in older operating systems, writes security company Intego. The company says the vulnerabilities are in macOS 11, or Big Sur, and in macOS 10.15, or Catalina. AppleAVD’s first issue is not patched on Big Sur only. Catalina was not affected by that vulnerability because that OS does not use that component. The Intel Graphics bug affects both Big Sur and Catalina. An independent security researcher confirms that the AppleAVD vulnerability on at least Big Sur can be exploited. According to Intego, the company is still trying to make a proof-of-concept of the other vulnerability, but that is difficult because details about the bug have been submitted anonymously to Apple. Intego says it has “high confidence” that CVE-2022-22654 affects both Big Sur and Catalina.
Apple has not yet provided an explanation as to why it has not fixed the bugs. In recent years, the company has come under increasing fire from security researchers who suggest vulnerabilities, but which are then not repaired or not repaired in time.