Report: Apple "neglects" to patch zero-days for older macOS versions

News
By Connor Jones
published

Analysis shows large proportion of Macs in operation remain unprotected to the actively exploited flaws patched last week

The Apple logo displayed next to a promotional poster for macOS Big Sur

Software security company Intego estimates around 35-40% of all Mac computers are currently vulnerable to zero-days Apple 'neglected' to patch.

The two actively exploited zero-day vulnerabilities were addressed by Apple in an earlier security fix, but it failed to release patches for older versions of macOS, namely Big Sur and Catalina.

Apple releases emergency patch fixing zero-days across iOS and macOS Apple iPad Air (2020) review: The executive’s choice Patch management vs vulnerability management

Apple released an emergency patch for two zero-days last week, tracked as CVE-2022-22674 and CVE-2022-22675, both of which Apple said was under active exploitation.

Both security vulnerabilities affected macOS and the latter (CVE-2022-22675) also affected iOS and iPadOS too, said Joshua Long, chief security analyst at Intego. Some older versions such as iOS 14 were also neglected in last week’s patch but this could be explained by Apple “quietly” ending support for iOS 14 in January 2022.

“Both of these macOS versions are ostensibly still receiving patches for ‘significant vulnerabilities’ - and actively exploited zero-day vulnerabilities certainly qualify as significant,” said Long in a blog post.

“Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.”

RELATED RESOURCE

The state of SD-WAN, SASE and zero trust security architectures

Be a leader in the deployment of zero trust, SD-WAN and SASE

FREE DOWNLOAD

Long said Catalina does not have the vulnerable component, AppleAVD, involved in CVE-2022-22675 so is not vulnerable to this specifically. However, it is believed to be vulnerable to CVE-2022-22674 and Big Sur is believed to be vulnerable to both.

Apple has reportedly not responded to Intego’s requests for clarity on why the older macOS versions have not received the security patches, despite still receiving security updates more generally.

Long pointed out that this isn’t the first time Apple has neglected older macOS versions in security updates. According to the security analyst, Apple failed to patch two out of the total seven WebKit vulnerabilities found in Safari back in October for macOS Big Sur and Catalina too.

See more

“A preliminary assessment of just the first round of patches at macOS Monterey’s release in October 2021 indicated that there may have already been well over a dozen vulnerabilities that were not patched for previous macOS versions,” said Long.

Back when Big Sur was the newest macOS version running on Apple computers, the researcher’s analysis showed less than half of the hundreds of security vulnerabilities known at the time were fixed for the then-three most recent macOS versions.

Around 16% were patched for the most recent two versions and 34% were patched only for the most recent, Big Sur.

Connor Jones
Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.