Two unpatched zero-day vulnerabilities in Apple macOS Big Sur and macOS Catalina

A few days ago, Apple announced the fix of two actively exploited vulnerabilities in macOS Monterey, although users of older versions of the operating system will not receive updates. The flaws were tracked as CVE-2022-22675 and CVE-2022-22674, and reside in macOS Big Sur and macOS Catalina implementations, respectively.

MacOS Monterey was released in October 2021 and is the latest version of the operating system. Apple decided not to respond to requests to explain why they have opted to leave older macOS installations without updates to mitigate these security risks.

Unlike Microsoft and its Windows Lifecycle Policy, Apple details hardware deprecation dates, but offers no written commitment to cover the different iterations of the macOS system. Support for macOS Catalina is expected to conclude later this year, while Big Sur could reach the end of its lifespan in November 2023. Estimates indicate that between 35% and 40% of currently used Mac devices could be exposed to these flaws.

Regarding flaws, CVE-2022-22675 is described as an out-of-bounds write error whose exploitation would allow threat actors to execute arbitrary code with kernel privileges. On the other hand, CVE-2022-22674 is a flaw in Intel Graphics in Big Sur (and potentially in Catalina) that would allow access to kernel memory.

Joshua Long of security firm Intego believes the flaw will almost certainly affect both versions of the operating system: “We are confident that CVE-2022-22674 will likely affect both macOS Big Sur and macOS Catalina, as almost all of the vulnerabilities in the Intel Graphics Driver component recently detected impact all versions of macOS.”

The researcher added that there are dozens of other vulnerabilities in Big Sur and Catalina that are not being actively exploited, but their presence represents a potential risk: “Apple has an unfortunate history of leaving macOS deployments unprotected against some actively exploited attacks, in what some know as a perpetual zero-day vulnerability scenario.”

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.