Apple Fixed Two Actively Exploited Vulnerabilities in macOS 12.3.1 Monterey, But Hasn't Released Updates for Big Sur or Catalina

[MacRumors]

With the release of macOS Monterey 12.3.1 on Thursday, March 31, Apple addressed two critical vulnerabilities that may have been actively exploited in the wild, but as Intego pointed out this week, Apple left macOS Big Sur and macOS Catalina users vulnerable.

The macOS Monterey 12.3.1 update fixed a pair of security flaws, including an AppleAVD issue that could allow an application to execute arbitrary code with kernel privileges and an Intel Graphics Driver issue that could allow an application to read kernel memory. Apple said that it was aware of reports that these vulnerabilities "may have been actively exploited," aka there are attacks that use these specific security holes.

Apple often provides security updates for macOS Catalina and macOS Big Sur users alongside macOS Monterey updates to make sure that Mac users who continue to run older operating systems remain protected. Apple has not done so in this case, and there are no security fixes for macOS 11 Big Sur or macOS 10.15 Catalina.

macOS Big Sur and macOS Catalina are still being supported with updates for notable vulnerabilities, so it is not clear why security fixes have not been released. According to Intego, this is the first time that Apple has not released simultaneous security patches for Big Sur and Catalina alongside fixes provided for macOS Monterey.

Big Sur remains vulnerable to CVE-2022-22675 (the AppleAVD bug), while CVE-2022-22674 (an Intel Graphics Driver bug) likely impacts both Big Sur and Catalina, based on research conducted by Intego.

There are some Mac users who choose to remain on Big Sur or Catalina who could install Monterey to get security fixes, but other Mac users have older hardware that is not able to be updated to Monterey, and these users have no way to address the security flaws that are now publicized.

Intego estimates that around 35 percent of Macs in use today could be affected by one or both vulnerabilities, and Apple has not responded to the site's request for an update on when security fixes might come out for Big Sur and Catalina.

Article Link: Apple Fixed Two Actively Exploited Vulnerabilities in macOS 12.3.1 Monterey, But Hasn't Released Updates for Big Sur or Catalina

 

[KaliYoni]

This is terrible on Apple's part because even Mac users who stay within the last two releases of macOS are, often unknowingly as Intego's research revealed, put at risk. Worse, the lack of any written support timeline makes it impossible to have any kind of rational upgrade plan.

----------
A good discussion about how macOS inconsistencies and opaque updates are hurting users, for anybody interested:

"As far as macOS goes, everyone will tell you that Apple supports the current version for about a year before it’s replaced by a new major release, then provides two years of security updates for it. The strange thing about that is Apple doesn’t seem to have committed that to writing, and I’ve searched long and hard for its official policy on many occasions. This article sets out what Apple has actually done over the last few years, from OS X Mavericks onwards."

How long does Apple support macOS?

Unofficially, each major version of macOS gets a year’s full support, with bug and security fixes, then 2 years of security updates. Is that how it works?

eclecticlight.co

 

[Bokito]

Apple is more and more pushing users to use the latest OS. That they removed the option to hide the nagging notification of new OS versions with a security update was just the start. Just providing a single patch for iOS 14 after the iOS 15 launch after promising 'it would continue to receive update' was a big FU to users.

I'm using a lot of apps that are too complex to be fully compatible with a new OS on day one, so I'm still running Big Sur. I'm not sure why Apple isn't updating Big Sur and Catalina. They really should communicate about it, but Apple's communication is lacking lately. I don't see why they can't backport the fixes with minimal effort certainly if they're actively exploited.

 

[rgwebb]

The fix could be more complicated on the legacy operating systems. Disappointing that it wasn't a coordinated release but even Apple can't snap their fingers and fix a software problem. It isn't all just about the capacity to pay the effort, there simply may not be enough experts in the institution and you can't just buy expertise where it doesn't exist. This is especially true for internal software.

 

[TheYayAreaLiving 🎗️]

All about priority. Apple obviously wants you to keep your system up to date. Thus, most current Mac OS (Monterey) gets all the love for now.

 

[ouimetnick]

Wish they still actively supported macOS Mojave.. Folks still use that OS for certain things (32 bit apps, dashboard, iTunes, etc)

 

[JosephAW]

Yeah I’m in the same situation have to stay in Mojave. Dual booting would be awkward just to run key software.
In other Unix OS that are 64 bit I can still run some 32 bit binaries by compiling or installing missing libraries. Why can’t we do that for MacOS?

 

[chucker23n1]

According to Intego, this is the first time that Apple has not released simultaneous patches for Big Sur and Catalina alongside a security update provided for macOS Monterey.

It's not.

Big Sur and Catalina did get theirs on the same day with 12.3:

But they didn't with 12.2.1:

So, it's not unprecedented for there to be a gap of a few days.

 

[JPack]

Every company has limited engineering resources and Apple is no different.

Ideally, everything is updated at the same time with no bugs. Realistically, Apple needs to focus on the latest OS and most recent devices.

 

[cwwilson]

In my household I have a 2015 iMac and a 2015 12" rMB running Catalina and a 2017 iMac and 2015 MBP on Big Sur so I hope we can get these systems updated with the new fix soon!

 

[winxmac]

Wish they still actively supported macOS Mojave.. Folks still use that OS for certain things (32 bit apps, dashboard, iTunes, etc)

Some say that 32bit support on Mojave is not as good as on High Sierra... I heard there might be some limitations but I am not sure what those limitations are...

Windows 11, which is the first Windows release with no 32bit version, can still use 32bit software unless the software publisher has completely moved on to just releasing 64bit versions of the application...

 

[DaveP]

It's not.

Big Sur and Catalina did get theirs on the same day with 12.3:



But they didn't with 12.2.1:




So, it's not unprecedented for there to be a gap of a few days.

Thank you for providing the data. My initial reaction was that I thought gaps of a few days were not unprecedented. So hopefully that's all it is. But they can get more hype and clicks if it is presented as a new thing.

 

[visualseed]

I have a 2012 Mac Mini that is on the beta track for Catalina and just got notified of an update

"macOS Catalina Security Update Developer Beta 2022-004 10.15.7"

So I suspect it's in the pipe for a GM release.

 

[August West]

This is disappointing.

I'm running a late 2012 Mini so Catalina is the end of the line for it it. And while I do plan to update to an M1 Mini I was waiting until the next major OS release when support for Catalina would officially end.

 

[August West]

I have a 2012 Mac Mini that is on the beta track for Catalina and just got notified of an update "macOS Catalina Security Update Developer Beta 2022-004 10.15.7"

So I suspect it's in the pipe for a GM release.

Good to hear.

 

[haunebu]

Apple cares more about money than their users. Pretty simple. They're telling Mac users to "Buy a new machine or get f'd."

 

[LivingMyBeachLife]

This is terrible on Apple's part because even Mac users who stay within the last two releases of macOS are, often unknowingly as Intego's research revealed, put at risk. Worse, the lack of any written support timeline makes it impossible to have any kind of rational upgrade plan.

----------
A good discussion about how macOS inconsistencies and opaque updates are hurting users, for anybody interested:

"As far as macOS goes, everyone will tell you that Apple supports the current version for about a year before it’s replaced by a new major release, then provides two years of security updates for it. The strange thing about that is Apple doesn’t seem to have committed that to writing, and I’ve searched long and hard for its official policy on many occasions. This article sets out what Apple has actually done over the last few years, from OS X Mavericks onwards."

How long does Apple support macOS?

Unofficially, each major version of macOS gets a year’s full support, with bug and security fixes, then 2 years of security updates. Is that how it works?

eclecticlight.co

This scenario is not unique to Apple. ______________ company has this issue as well. These companies are focused on supporting the current product, developing new products and maybe supporting the previous release or two. Security vulnerabilities are discovered all day every day. This is one reason why it's important to stay on supported hardware and software. If you are using a version that 3 or more revisions back that have reached end-of-support status, you can't fault the vendor for not providing updates no matter how critical. Now they can as a goodwill gesture but they aren't obligated for end-of-support / end-of-sale / end-of-life products.

 

[Madhatter32]

Apple cares more about money than their users. Pretty simple. They're telling Mac users to "Buy a new machine or get f'd."

I'm using a 2014 MBP and Apple has still not said anything of the sort to me. Apple must really hate you. I wonder why.

 

[Realityck]

This is terrible on Apple's part because even Mac users who stay within the last two releases of macOS are, often unknowingly as Intego's research revealed, put at risk. Worse, the lack of any written support timeline makes it impossible to have any kind of rational upgrade plan.

Intego is just using FUD (Fear Uncertainty Doubt) to pitch their almost worthless software as a defense against malware and being hacked.

I am surprised most of these companies still operate because of their little worth. All you need to do is have common sense, take reasonable precautions with what you install on your Mac along with understanding how these trojans work. It not like Apple doesn't eventually provide security updates for older OS releases. I saw Catalina received many security updates on my 2012 MBP before I swapped it out with a AS 2021 MBP. It not like any of these fixes are absolutely necessary for most instances as long as you not are putting yourself at risk just because Intego says buy our product otherwise you might run into trouble.

MacOS uses gatekeeper to protect you from most issues.

Gatekeeper and runtime protection in macOS

macOS offers the Gatekeeper technology and runtime protection to help ensure that only trusted software runs on a user’s Mac.

support.apple.com

 

[now i see it]

Zero days are Apple’s best friend. Nothing drives new hardware purchases like unpatched security holes in older software

 

[haunebu]

I'm using a 2014 MBP and Apple has still not said anything of the sort to me. Apple must really hate you. I wonder why.

Oh, your 2014 MBP is running Monterey just fine, huh? Good for you. I guess nobody else matters, whether they have good reason to hold off on the upgrade or not.

 

[tywebb13]

There is now a big sur rc1 for 11.6.6 build 20G604 so I think this might be released soon and fix vulnerabilities for big sur. Final build number may be the same or slightly higher.

This together with visualseed's post above about the catalina beta would indicate that apple do intend to fix both catalina and big sur in the near future.

 

[DaveMcM76]

In other Unix OS that are 64 bit I can still run some 32 bit binaries by compiling or installing missing libraries. Why can’t we do that for MacOS?

I could be wrong but I’m pretty sure this is because the M1 (and recent A series chips in iPhone/iPad hence iOS is also 64 bit only) only provide the 64 bit instruction set so 32 bit isn’t possible at a hardware level on these chips and this removal of 32 bit support has been mirrored on intel in order to minimise fragmentation between apple silicon and intel code base. Deprication of 32 bit support on intel started happening a couple of macOS releases before the m1 was even announced with warnings of 32 bit apps not being supported in future releases presumably in order to get developers to make the shift to 64 bit only in preparation for 32 bit not being available in the M1.

 

[MysticCow]

And those who cannot legit upgrade past 10.13 are...???

 

[chrfr]

There is now a big sur rc1 for 11.6.6 build 20G604 so I think this might be released soon and fix vulnerabilities for big sur. Final build number may be the same or slightly higher.

The 11.6.6 update and the matching Catalina update are currently on the same schedule as 12.4, so these are unlikely to be released sufficiently soon.