Apple Neglects to Patch Two Zero-Day Vulnerabilities for Big Sur, Catalina

Topic

New Reply

https://www.intego.com/mac-security-blog/apple-neglects-to-patch-zero-day-wild-vulnerabilities-for-macos-big-sur-catalina/

Apple has chosen to leave an estimated 35–40% of all supported Macs in danger of actively exploited vulnerabilities.

Last week, on March 31, Apple patched two “actively exploited” (i.e. in-the-wild, zero-day) security vulnerabilities for macOS Monterey.

After nearly a week, Apple still has not released corresponding security updates to address the same vulnerabilities in the two previous macOS versions, Big Sur (aka macOS 11) and Catalina (aka macOS 10.15)….

Reply | Quote

Replies

[OscarCP]

It is today two weeks, counting since March 31st, when Apple sent security updates to Monterey, because of two zero-day threats in the wild that it may not yet be clear if Catalina is vulnerable to and Big Sur is supposed to be vulnerable to at least one. But, as far as I know, no security updates have been sent for these two previous versions of macOS that are still fully supported.

This article from Intego, a company that for many years has provided AV and other protective software for Macs, came out a week ago and since then has been essentially the source informing most of the commentary in blogs and online articles on this issue of concern to many Mac users.

I came across this article thanks to Alex, that included the link to it in one of his own comments:

https://www.intego.com/mac-security-blog/apple-neglects-to-patch-zero-day-wild-vulnerabilities-for-macos-big-sur-catalina/

Another article on this very same issue:

https://nationalcybersecuritynews.today/nearly-40-of-macs-left-exposed-to-2-zero-day-exploits-macos-macsecurity/

Excerpt:

“Long [the author of the Intego article] says Intego was able to confirm that Big Sur is vulnerable to CVE-2022-22675 by reverse-engineering the patch that Apple released for the flaw for macOS Monterey.

“Catalina is not impacted by CVE-2022-22675 because it doesn’t have the affected component,” he says. Intego has not yet reversed-engineered the patch for CVE-2022-22674, so the company has not been able to confirm if the vulnerability is present in Big Sur and Catalina.

But it is very highly likely the vulnerability impacts those two operating systems as well. That’s because nearly every single vulnerability in the Intel Graphics Driver component in recent years has impacted all versions of macOS. There’s no reason to believe the present vulnerability is any different, according to Long.

Intego said that there are dozens of other vulnerabilities in Big Sur and Catalina that Apple has not addressed over the years.

Apple, like many other major software vendors, has had its share of criticism in the past over its patching practices and what many perceive as its reluctance to share detailed information on critical security issues. Last November, security vendor Malwarebytes slammed the company for taking some seven months to address a serious vulnerability in Catalina even though the flaw was being exploited for months. Malwarebytes described the incident as an example of Apple’s unreliability when it comes to fixing anything but the latest versions of its operating systems and software.”

So here are the two questions I have about this:

(1) Have the security updates for Catalina and Big Sur been already sent out by Apple, but it is taking some time for them to reach all users?

(2) If the answer to (1) is “no” and Apple has not yet explained the delay, would it be wiser:

(a) To wait some time longer.

Or

(b) To upgrade to Monterey as son as possible?

Thank you in advance for any practical and informed answers to these two questions.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

• This reply was modified 4 months ago by OscarCP.
• This reply was modified 4 months ago by Paul T.

Reply | Quote

I don’t have answers to your questions, just a few comments.

It strikes me that Apple is so secretive that no one other than Apple really knows if the vulnerabilities have been patched.

I get a bit suspicious when antivirus/security vendors start slamming Apple, Microsoft, Linux, etc for supposed vulnerabilities in their operating systems. It strikes me as a potential conflict of interest.

I get the impression that most articles and their authors assume that all macOS vulnerabilities will be patched with a security update, by which I mean those updates that are identified with something like Catalina Security Update 2022-003. But my understanding is that’s not always the case. My iMAC and MacBook Air from time to time get updates to MRTConfigData and XProtectPListConfigData both of which can be found under Installations. (Apple/About this Mac/System Report/Installations). The updates to these 2 happen automatically and the only way I know they’ve updated is to check Installations.

Unless Apple is sure the vulnerabilities can’t be exploited – or exploited only with great difficulty – they would be foolish to leave their operating systems knowingly vulnerable.

Reply | Quote

DrBonzo: Following your suggestions, I just checked “Installations” in my Mac. The ones listed there for my current OS, Big Sur, are only the ones I have installed already.

Strangely enough, several Monterey updates are also listed there, the most recent dated April 1st of this year.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I’m running Catalina and when I go to Installations by the method I described above, I can see the Catalina Updates that I’ve installed, but I also see the the MRTConfigData and XProtectPListConfigData updates that have been installed automatically, i.e., not installed by me or with my approval. I also see a couple of Monterey updates although I think they’re called Monterey Installer.

Reply | Quote

DrBonzo: “I also see a couple of Monterey updates although I think they’re called Monterey Installer.”

For what is worth, in  my Mac these installations are actually called just “macOS Monterrey”, as shown here:

They all have the version number in the same line, the latest, 12.3.1, is the number of the latest Monterrey update and the date is 1st April. This, to me, is intriguing.

Maybe, as you wrote, these are successive updates of the application to install Monterey, but the application is called”install macOS Monterey.app”, not “macOS Monterey”. And it is not listed there, probably because it has not been installed, at least not by me. And I am the only user of this machine, that is still running Big Sur.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

I made a thread earlier this year that involved an “Install macOS Monterey.app” being downloaded onto a Mac running Big Sur (a 12 GB download!) without permission from the user. Granted it doesn’t run without user consent, so no user will be forced to upgrade. I checked my installation log and saw “macOS Monterey” listed there as well, seemingly corresponding to each time macOS automatically downloaded the Monterey installer. This is despite the fact that I was running Big Sur the whole time, and never initiated the Monterey install.

Which is funny, because I just upgraded to Monterey a few days ago (this time under my own terms) and the install log also lists “macOS Monterey”—the exact same name and format—for the actual installation of Monterey!

I did also notice one other thing in the install log: an item called “macOS Installer Notification”, that predates all of those bizarre, unauthorized “Install macOS Monterey” downloads. Maybe that could be the culprit?

Reply | Quote

Anonymous: Until earlier this year still I had the “install.high.sierra.app” in my Mac, before I noticed it and deleted it. So this is not quite a new development.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

DrBonzo wrote:

Unless Apple is sure the vulnerabilities can’t be exploited – or exploited only with great difficulty – they would be foolish to leave their operating systems knowingly vulnerable.

Apple has confirmed these vulnerabilities are exploited in the wild.

1 user thanked author for this post.

DrBonzo

Reply | Quote

To me the statement by Joshua Long in the Intego article is something to take seriously, in particular:

“Intego was able to confirm that Big Sur is vulnerable to CVE-2022-22675 by reverse-engineering the patch that Apple released for the flaw for macOS Monterey”

This seems to be confirmed by Alex in his last comment here.

Alex, do you have a reference on this? I have not been able to find one when searching the Web to see if there were news coming out of Apple on this in the last few days.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Is the CISA doing something about this?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

Big Sur is not just used by individuals, like myself at home, but also by government agencies and companies. For example, at the NASA Center I work, those of us with Macs are still running Big Sur in them. I know, because I have a NASA-issue MacBook Pro running Big Sur to connect to the Center via VPN and do telecommuting work there, as well as to read and answer emails, etc.

I have asked about this and also have looked at NASA just now, for any announcements relevant to this, but seen no indications, so far, that at this Center at least, people are being told to move to Monterey, or that there are any rumors about such an impending move.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

bassmanzam

Reply | Quote

Apple actually has a security patch 11.6.6 for Big Sur, in beta. It has been out for more than a week. The final version has not been released yet. Perhaps it still is being tested and debugged?

https://arstechnica.com/civis/viewtopic.php?f=19&t=1483611&view=unread

https://www.macworld.com/article/630407/macos-big-sur-11-6-6-security-updates.html

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Alex5723

Reply | Quote