GarageBand: Nasty bug can lead to code execution
The Mac version of Apple's free DAW contains a vulnerability that can apparently be exploited by attackers. An update is available.
GarageBand on the Mac: Gap closed.
(Image: Apple)
Apple is warning of a potentially serious vulnerability in its digital audio workstation GarageBand. The Mac version of the free music application for macOS, iOS and iPadOS has a bug that could be used by attackers to execute arbitrary code on the computer. However, it is not known whether such attacks have already taken place.
Only Mac version affected, but down to Sonoma
The vulnerability has apparently been present in GarageBand for some time, affecting not only the current macOS version Sequoia (10.5), but also the previous version Sonoma (14). The current GarageBand for Mac officially runs from operating system version 14.4. According to Apple, a problem with the so-called bounds checks means that a maliciously modified image can be used to execute unwanted programs. The company does not disclose which rights are used for this.
Videos by heise
The CVE ID of the bug is 2024-44142; it was discovered by Marc Schoenefeld, who once worked at the University of Bamberg. It initially remained unclear exactly what a possible attack scenario would have looked like. However, there are several places where it is possible to insert images into GarageBand, for example as a cover recording for a music project. The severity of the vulnerability was set to "Medium" according to CVSS v2 (base score: 6.8) or "High" according to CVSS v3 (base score: 7.8).
Update quickly via the Mac App Store
Anyone running GarageBand on their Mac should install the update as soon as possible. The current version, which contains the bug fix, has the version number 10.4.12. Apple distributes GarageBand via the Mac App Store, where you can also activate automatic updates if you wish. Users should use the Apple menu to check whether they already have the latest version of the DAW on their computer.
GarageBand 10.4.12 also contains other "stability and bug fixes", which Apple unfortunately does not specify. There is also no reference to security-critical fixes in the package insert, which is unfortunate as it does not speed up the update process. At least Apple now lists information on the problem on its official Security Updates website.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
