Apple hasn't patched critical vulnerabilities in macOS Big Sur & Catalina

By William Gallagher

Despite issuing an update to address two zero-day vulnerabilities in macOS Monterey, Apple has yet to apply it to the last two macOS versions, reportedly leaving up to 40% of actively used Macs at risk.

Apple addressed the critical bugs in its March 31, 2022 update to macOS Monterey. As yet, however, it has not updated macOS Big Sur and macOS Catalina.

According to The Mac Security Blog, Apple has traditionally supported the current and previous two versions of macOS with security updates.

One of the two actively exploited vulnerabilities still specifically targets Big Sur. Bug CVE-2022-22675, concerns AppleAVD, the framework used for audio and video decoding.

The second bug, CVE-2022-22674, is in the Intel Graphics Driver and still affects both Big Sur and Catalina. The Mac Security Blog estimates that this means 35% to 40% of all active Macs are vulnerable.

Intego, publisher of the blog, says that it has "high confidence that CVE-2022-22674 likely affects both macOS Big Sur and macOS Catalina." It bases this in part on how, it says, "nearly all vulnerabilities in the Intel Graphics Driver" have affected all versions of macOS.

Apple has not yet commented. However, it has released an update to iOS and iPadOS that reportedly patch the AppleAVD bug on iPhones and iPads.