It isn’t every day Apple releases a security patch for a specific app. Usually, the company releases patches as part of a large update, such as with iOS 17.4 and macOS Sonoma 14.4. However, the company unexpectedly dropped an update for GarageBand Tuesday, which included a security patch for the audio program alone.
On the App Store, Apple says GarageBand 10.4.11 is an update that includes “stability updates and bug fixes.” However, according to Apple’s security notes, the company specifies this update is for GarageBand apps on macOS Sonoma and macOS Ventura, and addresses an issue where processing a malicious file could lead to app termination or arbitrary code execution.
It appears that the issue stems from a use-after-free vulnerability: This is a flaw caused when the memory management system clears data from memory, but doesn’t clear the pointer that leads to that available memory. In this case, malicious users could substitute their own code in this available space. In short, bad actors could exploit the vulnerability to run whatever code they wanted to, and effectively take over your machine.
Typically, this is the part where I’d recommend you update GarageBand at your earliest convenience. Since this flaw specifically seems to affect macOS’ version of GarageBand, I’d point you to the Mac App Store’s Updates tab. However, when I go here, I don’t actually find the update waiting for me. I do find it, however, when searching GarageBand in the App Store. It didn’t show up right away, though: If you can’t find the update in the Updates menu or the App Store, keep trying.
It doesn’t seem like this vulnerability is a zero-day, so, in theory, there should be no known exploits for it. However, to be safe, you should update GarageBand before continuing to use it. At this time, it seems this issue doesn’t affect the iOS version of GarageBand, which is currently version 2.3.15. However, if both apps have the same vulnerability in their code, expect an iOS update imminently.
