Unpatched Flaw In Apple Remote Desktop Brings About Trojans & Community Fixes

Much ado has been made this week regarding the recent Apple Remote Desktop Root Privilege Escalation Vulnerability. The short story is that there is a flaw in a piece of software that Apple ships & installs with every Leopard instance which enables a local user to run scripts with root privileges (meaning they can do anything on the system).

As you may have read, this flaw is not capable of being exploited remotely, but multiple variants of a new Trojan (dubbed “AppleScript-THT”) are floating around the internets which wreak all sorts of havoc on your system once infected. Some install keystroke logging, usurp your iSight camera to take pictures or even capturing screenshots (some do much worse).

The Washington Post has a great blog post which gives a great amount of detail on the problem and even mentions a few solutions. The quickest way (until Apple releases a patch) to protect yourself is to open up a Terminal window and enter the following text:

osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';

If that was successful, then you should not see “root” when you paste this into the Terminal window:

osascript -e 'tell app "ARDAgent" to do shell script "whoami"';

SecureMac has updated MacScan to account for these new beasts and DAT updates from other vendors are forthcoming.

Until Apple releases a patch and you install it be very careful what you download and execute, both from your browser or chat clients.

If you have any questions or concerns, please drop a note in the comments and I will monitor this thread closely over the coming days to try to help as much as possible. Watch for a TAB post when Apple issues a fix.


loading

Comments have been disabled for this post