Apple released macOS Monterey 12.3.1 on March 31. In it, the company repaired two zero days. Both CVE-2022-22675and CVE-2022-22654 were actively exploited, according to Apple, but no details are known about that abuse. The first vulnerability is in AppleAVD. The out-of-bounds write vulnerability made it possible to execute code with kernel privileges. The second vulnerability is slightly less severe. This is a vulnerability in the Intel Graphics driver that makes it possible to read the kernel memory.
The vulnerabilities have been fixed in macOS Monterey, but not in older operating systems, security company Intego writes. The company says the vulnerabilities are in macOS 11, or Big Sur, and in macOS 10.15, or Catalina. AppleAVD’s first issue is not patched on Big Sur only. Catalina was not affected by that vulnerability because that OS does not use that component. The Intel Graphics bug affects both Big Sur and Catalina. An independent security researcher confirms that the AppleAVD vulnerability on at least Big Sur can be exploited. According to Intego, the company is still trying to make a proof-of-concept of the other vulnerability, but that is difficult because details about the bug have been submitted anonymously to Apple. Intego says it has “high confidence” that CVE-2022-22654 affects both Big Sur and Catalina.
Apple has not yet provided an explanation as to why it has not fixed the bugs. In recent years, the company has come under increasing fire from security researchers who suggest vulnerabilities, but which are then not repaired or not repaired in time.