You dont have to put in your password. At least for Intego’s exploit, it runs under any user.
If its a privilege escalation it will run under any user…
Think security companies have virus-writing departments? I would if I was running an internet security business. Create your own market. Numbers don’t look good this month? Toss out a couple more viruses and publish that you “found” them.
This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent’s ability to run AppleScripts, which may, in turn, include shell script commands.
Someone set the permissions wrong :shrug:
The simple fix for this is don’t run ARD most users shouldn’t need to anyways…beyond that Apple will release some “fix” which will most likely change permissions on the file.
yeah it seems like simply lazy programming. Should def. be an easy fix.
Also though, Most routers’ built in firewalls would most likely block the ARD connection from coming in, so I doubt it would end up doing much damage.
Well from the wording of the report it looks like ARD is standard on 10.5, and you would want to turn Remote Management on, not off.
Not sure though, because that sounds backwards to me.
EDIT: Ars is reporting that enabling ARD kills the exploit as well as a terminal command to kill off the processes