Critical Vulnerability Discovered in GarageBand for Mac

Apple has issued a warning regarding a significant security flaw found in its free Digital Audio Workstation (DAW), GarageBand, specifically in the Mac version. This vulnerability could potentially allow malicious actors to execute arbitrary code on affected devices.

The flaw, which has been present in GarageBand for some time, affects not only the latest macOS version, Sequoia (10.5), but also the earlier version, Sonoma (14). The current version of GarageBand for Mac is compatible starting from macOS version 14.4. According to Apple, the vulnerability stems from a problem with bounds checks, enabling a maliciously modified image to exploit the system and execute unauthorized programs.

Details regarding whether any attacks leveraging this vulnerability have occurred remain unclear. The identified CVE ID for this issue is 2024-44142, discovered by a former researcher from the University of Bamberg. While the specific attack scenarios are not fully detailed, GarageBand offers multiple points where images can be incorporated, such as cover art for music projects.

The severity of the vulnerability has been rated as 'Medium' according to CVSS v2 (Base Score: 6.8) and 'High' based on CVSS v3 (Base Score: 7.8). Users of GarageBand on Mac are strongly advised to install the available update as soon as possible. The latest version, which includes security fixes, is 10.4.12. GarageBand is distributed via the Mac App Store, where users can also opt-in for automatic updates.

In addition to addressing the security issue, GarageBand 10.4.12 includes further stability and bug fixes, though Apple has not provided detailed information on these improvements. Unfortunately, there is no mention of security-related updates in the release notes, which may hinder user willingness to update. Nonetheless, Apple has begun to list this security issue on its official Security Updates webpage.