LackyVis - stock.adobe.com

Apple criticised over unpatched CVEs in Catalina, Big Sur

Apple patched two zero-days in macOS Monterey last week, but did not address the same issue in Catalina or Big Sur, raising questions

Apple is again coming in for criticism after rushing a series of patches to address two separate zero-days in its macOS Monterey operating system, as well as various iPhone and iPad models, but neglecting to offer an update to older Mac computers running macOS Catalina and Big Sur.

CVE-2020-22674 in the Intel Graphics Driver and CVE-2022-22675 in the AppleAVD video and decoding framework are, variously, an out-of-bounds read issue and an out-of-bounds write issue that if leave the device kernel dangerously exposed to a potential attacker, who – in a worst-case scenario – could take total control of the victim’s device.

“This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities for Big Sur and Catalina,” said Joshua Long, chief security analyst at Intego, a specialist supplier of security services for Apple users. “The previous three actively exploited vulnerabilities were each patched simultaneously for Monterey, Big Sur, and Catalina.”

According to Long, reverse engineering of the patch has shown that macOS 11, aka Big Sur, released on 12 November 2020, is vulnerable to CVE-202-22675, although version 10.15, aka Catalina, released on 7 October 2019, is not because Catalina does not use AppleAVD. He added that it is likely that both Big Sur and Catalina are vulnerable to CVE-2022-22674, although work to confirm this is currently ongoing.

“We have high confidence that CVE-2022-22674 likely affects both macOS Big Sur and macOS Catalina. Nearly all vulnerabilities in the Intel Graphics Driver component in recent years have affected all versions of macOS,” he said.

Long said Mac systems running Catalina and Big Sur are thought to account for between 35% and 40% of Apple’s current installed base, although this is an imprecise figure as Apple no longer distinguishes between macOs versions in browser User Agent strings, making it much harder for outsiders to tell them apart.

The decision not to patch Catalina and Big Sur comes as something of a departure for Apple, which is notoriously secretive about its patching policies but has generally released patches for the current and two previous major macOS versions, usually simultaneously.

Long added that the problem may well affect other macOS versions. Research conducted last year by Intego, prior to the release of Monterey, found that 48% of over 400 vulnerabilities patched by Apple were fixed on all three supported versions of macOS (at the time, Catalina, Big Sur and Mojave), but that 34% were only patched for Catalina and Big Sur, and 16% were only patched for Big Sur. Out of those that were actively exploited on disclosure – in other words, zero-days – those figures all rose.

“Apple has an unfortunate history of knowingly leaving ‘supported’ macOS versions unprotected from some in-the-wild, actively exploited attacks. This type of scenario where a vendor chooses not to release a patch is sometimes referred to as a ‘perpetual zero-day’,” said Long.

Long said the only way for the average user to ensure their Mac is as safe as possible is to upgrade to Monterey, although for compatibility reasons many will find this impossible. “[But] the average person would never know this, because Apple still releases patches for Big Sur and Catalina, most recently just three weeks ago, on March 15. It isn’t obvious to most people that Apple’s patches for these macOS versions are incomplete,” he said.

This is not the first time in recent months that Cupertino has come under fire from security experts over its practices. In October 2021, amid mounting frustration with Apple’s Bug Bounty programme, several ethical hackers went on the record to say they were considering making their discoveries public to force the tech giant’s hand.

One researcher, who disclosed three apparent zero-days in iOS to Apple, said the company had failed to properly credit him, and criticised how it goes about communicating with bounty hunters. Another told Computer Weekly’s sister site SearchSecurity that their reports were not acknowledged or triaged, and that in some instances they had not received a bounty payout.

Computer Weekly contacted Apple to try to better understand the situation and offer the firm a right to reply, but it had not responded to our approaches at the time of writing.

Read more about zero-days

  • Some are describing a newly disclosed Spring Java framework vulnerability as the next Log4Shell, but what is Spring4Shell, and what can we do about it?
  • Three zero-days pop up in Microsoft’s March update, along with a number of other noteworthy concerns for defenders.
  • Cyber criminals are turning bugs into exploits faster than ever, according to Rapid7, which found that the average time to known exploitation dropped 71% last year.

Read more on Endpoint security