Apple leaves critical bugs unpatched in macOS Big Sur and Catalina

Bugs in macOS Big Sur
Written by Emma Davis

Apple fixed two actively exploited bugs in macOS Monterey last week, but Intego analysts emphasize that the company left users of older supported versions of its OS, namely Big Sur and Catalina, unprotected.

We are talking about vulnerabilities CVE-2022-22674 (a problem in the AppleAVD media decoder code) and CVE-2022-22675 (out-of-bounds entry in the Intel Graphics Driver).

Intego expert Joshua Long writes that the AppleAVD issue remains unfixed in macOS Big Sur (Catalina is not affected at all as it lacks the AppleAVD component). Also, according to him, the vulnerability in the Intel Graphics Driver affects both Big Sur and Catalina, but in both cases, the OS was left without patches.

Let me remind you that support for macOS Catalina should end around November 2022, and macOS Big Sur should end in November 2023. But Apple has very clear deadlines for the obsolescence of its hardware, and says little about macOS support policy. Typically, the company maintains an active release of macOS for about a year, and in parallel publishes updates and patches for the previous two releases of the OS. But it looks like something has changed.

This is the first time since the release of macOS Monterey that Apple has neglected to patch actively exploited vulnerabilities in Big Sur and Catalina. The previous three actively exploited vulnerabilities were addressed simultaneously for Monterey, Big Sur and Catalina.says Long.

At the same time, Apple representatives do not explain why the company suddenly left old versions of macOS without patches, and Long notes that as a result, approximately 35-40% of Macs currently in use are vulnerable to one or both errors.

Long adds that there are dozens of other vulnerabilities in Big Sur and Catalina that are simply not exploited as actively by hackers.

Apple has an unfortunate history of deliberately leaving “supported” versions of macOS unprotected from some actively exploited issues. Such situations, when the vendor simply decides not to release patches, are sometimes called “eternal 0-day vulnerabilities.the expert sums up.

Let me remind you that we wrote that the Research team uncovered 55 vulnerabilities in Apple products, and also that Apple Fixes Vulnerability in HomeKit that Allowed DoS Attacks on iPhones and iPads.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply