Discovered by Tyler Bohan of Cisco Talos
Overview
Talos is disclosing TALOS-2016-0262 (CVE-2017-2372) and TALOS-2017-0275 (CVE-2017-2374), an out of bounds write vulnerability in Apple GarageBand. GarageBand is a music creation program, allowing users to create and edit music easily and effectively from their Mac computer. GarageBand is installed by default on all Mac computers so there is a significant number of potential victims. This issue was partially resolved on 1/18/17 with a patch which addressed CVE-2017-2372, the patch released on 2/13/17 addressed CVE-2017-2374 resolving the issue.
This particular vulnerability is the result of the way the application parses the proprietary file format used for GarageBand files, .band. The format is broken into chunks with a specific length field for each. This length is controlled by the user and can be leveraged to expose an exploitable condition. This vulnerability could be exploited by a user opening a specially crafted .band file.
My MacBook Pro could have been hacked by this vulnerability duly 2016. I was trying to setup the then new MacBook and mouse was being remotely used. I was wrestling for contriol, and found it strange that the attacker (in the apartment next door I suspect) was desperately trying to start GarageBand and just stopped once a file had been opened. I’ve reset my MacBook to factory a few times since then and GarageBand hasn’t shown up for a longtime. Could the hack withstand a reinstall?
@Simon – You are asking several questions in one there. If you were subject to someone taking remote control of your machine and attempting to open a specially crafted GarageBand file, your machine has already been compromised to allow such remote access. A factory reset would allow some system files to persist that may be related to how an attacker was able to install a RAT in the first place. A full format and system scan is your best bet at this point. Thanks for your comment!