Apr 06, 2022 21:50:00

'Apple has left unfixed known zero-day vulnerabilities in macOS,' he said.

Intego , a developer of security software for Mac, points out that 'Apple has neglected to patch the zero-day vulnerabilities in macOS Catalina (macOS 10.15 and later) and macOS Big Sur (macOS 11 and later).' increase.

Apple Neglects to Patch Two Zero-Day, Wild Vulnerabilities for macOS Big Sur, Catalina --The Mac Security Blog
https://www.intego.com/mac-security-blog/apple-neglects-to-patch-zero-day-wild-vulnerabilities-for-macos-big-sur-catalina/

Apple has yet to fix exploits for macOS Big Sur and Catalina --9to5Mac
https://9to5mac.com/2022/04/05/apple-has-yet-to-fix-zero-day-exploits-for-macos-big-sur-and-catalina-users/

On March 31, 2022, Apple released version 12.3.1 of macOS Monterey (macOS 12 and above), patching 'two aggressively exploited zero-day vulnerabilities.'

However, Intego said, 'Almost a week after macOS Monterey version 12.3.1 was released, Apple still has security to address the same zero-day vulnerabilities in earlier versions of macOS, Big Sur and Catalina. We haven't released any updates, 'he said, pointing out that the zero-day vulnerabilities fixed in Monterey remain in Big Sur and Catalina.

Apple has patched the latest macOS and two earlier major versions for the past decade. However, Apple has decided to stop this practice and not provide security updates to the two major versions prior to Monterey, Big Sur and Catalina, Intego points out.

The two zero-day vulnerabilities in question are: Monterey addresses two vulnerabilities, but the previous major version, Big Sur, remains unpatched with 'CVE-2022-22675' and 'CVE-2022-22674'. The previous major version, Catalina, remains unpatched for 'CVE-2022-22674'.

・

CVE-2022-22674
'CVE-2022-22674' is a vulnerability related to the Intel Graphics Driver component and is believed to be likely to affect both Big Sur and Catalina. 'CVE-2022-22674' is a vulnerability fixed in Monterey, but remains vulnerable to both Big Sur and Catalina.

Apple has described 'CVE-2022-22674' as 'a vulnerability reported by an anonymous researcher' in a patch note, but it is confirmed whether the vulnerability affects past macOS without reverse engineering. It is 'difficult' to do. Intego said, 'Until it was possible to reverse engineer a Monterey patch for'CVE-2022-22674', based on past experience, this vulnerability is likely to exist in both Big Sur and Catalina. I have to think about it. '

・CVE-2022-22675
Mickey Jin , who analyzes vulnerabilities in Apple's operating system, has confirmed that Big Sur includes 'CVE-2022-22675' by reverse engineering version 12.3.1 of macOS Monterey. increase. In addition, it was revealed that M1 Macs with Big Sur installed remain vulnerable to 'CVE-2022-22675'.

Intego seems to have inquired Apple about the reason why 'CVE-2022-22675' has not been fixed in Big Sur, but at the time of writing the article, no response was obtained. On the other hand, Catalina is not affected by the vulnerability because it does not contain the vulnerable component Apple AVD that causes 'CVE-2022-22675'.

According to Jin, both iOS 14 and iPad OS 14 remain vulnerable to 'CVE-2022-22675'. However, Apple officially stopped supporting iOS 14 and iPad OS 14 in January 2022, so Intego said, 'It's not surprising that users need to update to a major version of iOS 14 / iPad OS 14 or later. I point out. And 'CVE-2022-22675' has been fixed in iOS / iPadOS version 15.4.1.

On the other hand, some Mac users can't upgrade from Big Sur to Monterey.

This is the first time Apple has failed to patch Big Sur and Catalina with a fix for the vulnerability, according to Intego. Previously reported vulnerabilities have been patched to Monterey, Big Sur, and Catalina all at the same time.

'The purpose of this article is to point out the existence of'two aggressively exploited vulnerabilities' in Big Sur and Catalina,' said Intego. 'Apple is actively exploiting it.' There are dozens of vulnerabilities that I don't think I'm thinking of, and Big Sur and Catalina still have these vulnerabilities. '

Josh Long, an analyst at a security research firm, said, 'The following is a table that summarizes the vulnerabilities that Apple has patched or not patched. It is patched only on the latest major version of macOS. Please be careful. ' According to this table, more than 12 vulnerabilities are left unpatched.

Here's a preliminary look at what

@Apple patched—and what they didn't—in macOS Monterey 12.0.1 vs. Big Sur 11.6.1 vs. Security Update 2021-007 Catalina. (Reminder that some things * only * get patched for the current #macOS !) #macOSMonterey #infosec #security #Apple pic.twitter.com/0NbLGk5siI

— Josh Long (the JoshMeister) (@theJoshMeister) October 26, 2021

According to Intego, the share of macOS at the time of article creation is as shown in the graph below. About 55-60% of Macs that may be affected by 'CVE-2022-22674' and 'CVE-2022-22675', that is, Macs that have MacOS before Big Sur or Catalina installed That's right.

Software engineers and security analysts have pointed out that 'Apple has left unfixed known vulnerabilities.'

Vulnerability sent to Apple's Bug Bounty Program turns out to be unfixed for half a year, discoverers publish zero-day vulnerabilities as 'disappointed'-GIGAZINE