Apple says a newly patched hole in its GarageBand music tool could allow for remote code execution on the Mac.
The GarageBand 10.1.6 update is being pushed out to all Macs running OS X Yosemite and later. Because GarageBand is installed by default on OS X systems, all Mac owners should install the patch, but those who regularly use the music composing software should pay particular attention.
The lone flaw addressed in the update, CVE-2017-2374, allows an attack to remotely execute simply by running a malformed .band file. Apple uses the .band format for all GarageBand project files. In theory, a crook could exploit the bug by convincing the user to run the specially crafted .band file that would target the bug. CVE-2017-2374 was one of two GarageBand flaws discovered by Cisco Talos researcher Tyler Bohan. Apple addressed the other vulnerability, CVE-2017-2372, with an earlier update.
"This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band," explains Talos. "The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition." Neither Apple nor Talos reported any attacks on the vulnerability in the wild.
Apple users should already be looking to update their Macs, thanks to this morning's monthly patch release by Adobe for Flash Player on OS X. That update addresses a total of 13 security holes in the internet's screen door, all of which can be exploited for remote code execution.