Hidden in the Mac App Store updates tab the past day or two has been an update for GarageBand to version 10.1.6. While the update notes state that the new code is to fix “Performance and security issues”, it appears that the primary reason was to shut the door on a vulnerability in GarageBand.
Tyler Bohan of Cisco Talos discovered the vulnerability, in which opening a “maliciously crafted” GarageBand project file could cause “arbitrary code execution”. Bohan noted that the .band file format used by GarageBand breaks up a file into segments that each have their own properties. The length of each of those segments is controlled by the user, and GarageBand doesn’t validate whether or not the length of the segments is within defined bounds.
Since the file length isn’t verified by the app, an attacker could create a .band file with malware hidden inside that could execute upon being opened by GarageBand. Bohan only disclosed the vulnerability after Apple issued the 10.1.6 patch, and it does not appear that the vulnerability was ever used in an attack.
If you use GarageBand regularly (and even if you don’t), be sure to run the update from the Mac App Store as soon as possible.