IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Report: Apple "neglects" to patch zero-days for older macOS versions

Analysis shows large proportion of Macs in operation remain unprotected to the actively exploited flaws patched last week

The Apple logo displayed next to a promotional poster for macOS Big Sur

Software security company Intego estimates around 35-40% of all Mac computers are currently vulnerable to zero-days Apple 'neglected' to patch.

The two actively exploited zero-day vulnerabilities were addressed by Apple in an earlier security fix, but it failed to release patches for older versions of macOS, namely Big Sur and Catalina.

Apple released an emergency patch for two zero-days last week, tracked as CVE-2022-22674 and CVE-2022-22675, both of which Apple said was under active exploitation.

Both security vulnerabilities affected macOS and the latter (CVE-2022-22675) also affected iOS and iPadOS too, said Joshua Long, chief security analyst at Intego. Some older versions such as iOS 14 were also neglected in last week’s patch but this could be explained by Apple “quietly” ending support for iOS 14 in January 2022. 

“Both of these macOS versions are ostensibly still receiving patches for ‘significant vulnerabilities’ - and actively exploited zero-day vulnerabilities certainly qualify as significant,” said Long in a blog post

“Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.”

Related Resource

The state of SD-WAN, SASE and zero trust security architectures

Be a leader in the deployment of zero trust, SD-WAN and SASE

Whitepaper cover with graphic of a man stood on a laptop in front of a padlock, in front of a cloud with a server in the cloud, plus other peopleFree Download

Long said Catalina does not have the vulnerable component, AppleAVD, involved in CVE-2022-22675 so is not vulnerable to this specifically. However, it is believed to be vulnerable to CVE-2022-22674 and Big Sur is believed to be vulnerable to both.

Apple has reportedly not responded to Intego’s requests for clarity on why the older macOS versions have not received the security patches, despite still receiving security updates more generally.

Long pointed out that this isn’t the first time Apple has neglected older macOS versions in security updates. According to the security analyst, Apple failed to patch two out of the total seven WebKit vulnerabilities found in Safari back in October for macOS Big Sur and Catalina too.

“A preliminary assessment of just the first round of patches at macOS Monterey’s release in October 2021 indicated that there may have already been well over a dozen vulnerabilities that were not patched for previous macOS versions,” said Long.

Back when Big Sur was the newest macOS version running on Apple computers, the researcher’s analysis showed less than half of the hundreds of security vulnerabilities known at the time were fixed for the then-three most recent macOS versions.

Around 16% were patched for the most recent two versions and 34% were patched only for the most recent, Big Sur.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Kaspersky exposes MysterySnail zero-day exploit in Windows
zero-day exploit

Kaspersky exposes MysterySnail zero-day exploit in Windows

13 Oct 2021
Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022