Most users would not consider a music production application like GarageBand to be security-critical. However, as is well known, it can happen in any software that there are gaps. This was also the case with the macOS version of Apple's free song creation tool: users should quickly update to version 10.4.11, which was released this week.
Advertisement
Attack through the front door
As Apple states on its homepage with the information leaflets for security updates, there was a bug in earlier versions of GarageBand – from which one is not yet known – that gave attackers several opportunities to commit mischief. Both macOS 14 (Sonoma) and 13 (Ventura) were affected. The so-called use-after-free problem, in which attackers can gain unwanted access to memory areas, allowed a manipulated GarageBand file to both crash the app itself and execute arbitrary code – although the latter apparently did not have root privileges.
In practice, this meant that an attacker could have used the bug with CVE ID 2024-23300 to attack a Mac using a GarageBand file and possibly take over. All the user had to do was run the file for GarageBand to open. It is unknown whether such attacks actually occurred and whether an exploit is in circulation. At least Apple doesn't warn about it. The problem was solved by “improved memory management,” writes the Mac manufacturer.
Not much is happening with GarageBand right now
The GarageBand gap was discovered by Munich security researcher Marc Schoenefeld, who works for Oracle, among others, and, according to LinkedIn, specializes in the areas of secure coding and finding security gaps.
Otherwise, GarageBand 10.4.11 is not expected to deliver any new features; Apple only mentions “stability improvements and bug fixes” as the content of the update. The last time there were major new features for GarageBand on the Mac was in November 2022, when the company added almost 500 new Apple Loops and drum kits. At the moment, Apple is slow to maintain its entry-level music production software. At least Apple takes care of bug fixes.
(bsc)