Last week, Apple fixed two vulnerabilities actively exploited by hackers in macOS Monterey, but at the same time left users of older versions of its desktop OS open to attacks.
According to Intego, the patches fix vulnerabilities CVE-2022-22675 in AppleAVD and CVE-2022-22674 in Intel Graphics Driver in macOS Monterey, but they have not been ported to macOS Big Sur and macOS Catalina.
The vulnerability CVE-2022-22675 is still present in macOS Big Sur, but is absent in Catalina, since the component for decoding the audio and video signal AppleAVD is not provided in this OS version. However, the vulnerability in Intel Graphics affects both versions of macOS.
It is worth noting that it is unusual for Apple to fix vulnerabilities in macOS Monterey, but leave them in Big Sur and Catalina. The previously disclosed three vulnerabilities, which were also actively exploited by hackers, were simultaneously fixed in Monterey, Big Sur and Catalina. Why Apple decided to do otherwise this time is unclear.
Unlike Microsoft, which regularly reports on the end of the lifecycle of a particular version of Windows, Apple notifies of hardware obsolescence, but does not say anything about the termination of support for macOS. Recently, it has maintained an active release of macOS for a year, while simultaneously publishing updates for the previous two versions.
Big Sur support is expected to end around November 2022, and Catalina in November 2023.
Currently, 35-40% of macs are running on the basis of vulnerable versions of macOS.
The vulnerability in AppleAVD affects “macs” with M1 processor running macOS Big Sur, as well as devices running iOS 14 and iPadOS 14, which Apple stopped supporting in January of this year.
CVE-2022-22675 is a write vulnerability outside of the allocated memory area that allows arbitrary code to be executed with kernel privileges.
The problem in Intel Graphics (CVE-2022-22674) is a read vulnerability outside of the allocated memory area that allows reading data in kernel memory.