The release of macOS Monterey 12.3.1 last Thursday addresses two critical vulnerabilities that may have already been exploited in the wild. Unfortunately, as noted by Intego this week, macOS Big Sur and macOS Catalina users are still vulnerable.
macOS Monterey 12.3.1 fixed two security flaws. It fixes an AppleAVD issue that could allow an application to execute arbitrary code with kernel privileges and an Intel Graphics Driver issue that could allow an application to read kernel memory.
Apple said that it was aware of reports that these vulnerabilities “may have been actively exploited,” aka there are attacks that use these specific security holes.
After nearly a week, Apple still has not released corresponding security updates to address the same vulnerabilities in the two previous macOS versions, Big Sur (aka macOS 11) and Catalina (aka macOS 10.15).
Both of these macOS versions are ostensibly still receiving patches for “significant vulnerabilities”—and actively exploited zero-day vulnerabilities certainly qualify as significant. Apple has maintained the practice of patching the two previous macOS versions alongside the current macOS version for nearly a decade. But now, Apple has neglected to patch both Big Sur and Catalina to address the latest actively exploited vulnerabilities.
According to Intego says this is the first time that Apple has not simultaneously released patches for Big Sur and Catalina alongside a security update provided for macOS Monterey.
Intego estimates that around 35% of Macs in use today could be affected by one or both vulnerabilities.