There have been several vulnerabilities affecting the GarageBand application in the past, with the most recent two occurring almost precisely two years ago. You can find more information on these vulnerabilities from Apple’s support pages. However, the CVE-2022-22664 and CVE-2022-22657 vulnerabilities also affected Logic Pro 10.7.3 and macOS Monterey 12.3. What makes this particular update surprising is that the CVE-2024-23300 security vulnerability only relates to the GarageBand app itself, running on both macOS Ventura and macOS Sonoma, and it addresses a single security issue.
What Is The Apple GarageBand CVE-2024-23300 Vulnerability?
CVE-2024-23300 is described by Apple as being a use-after-free memory issue that could lead to “unexpected app termination or arbitrary code execution. The former is annoying but the latter could have substantial potential security issues should an attacker exploit this vulnerability. This is why Apple has responded in this highly unusual but very welcome manner to address a security vulnerability in a single application and not wait to bundle it with a macOS patch.
There isn’t much more known about the vulnerability at this point, with Apple stating that it doesn’t “disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available” for customer protection. That is perfectly understandable, and other large technology companies, such as Google, adopt the same strategy to prevent exploitation before users have had every chance to apply the update patch.
Has This GarageBand Security Vulnerability Already Been Exploited?
What we do know about CVE-2024-23300 is that this vulnerability could be exploited by the user being tricked into opening a maliciously crafted file. Although there is no evidence available to suggest that threat actors have exploited this vulnerability in the wild to date, the sensible security advice of regular Apple security writer Kate O’Flaherty to update as soon as possible still stands. Users of the GarageBand app on the iPhone and iPad do not appear to have been affected by this vulnerability so no update is required for them.
Read the full article here
