OS X flaw exposes Leopards and Tigers
8:39AM, Friday 20th June 2008
Security firm Intego has discovered a critical security vulnerability in Leopard and Tiger which could enable programs to run with full, root access to the system.
Fortunately, it Intego says that security hole is easily closed by simply enabling Remote Management in the Sharing preferences. Once this setting is activated, any exploit will not function.
The vulnerability takes advantage of the fact that Remote Management's ARDAgent component is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent's ability to run AppleScripts, which may, in turn, include shell script commands.
SecureMac is reporting that it has already discovered both an AppleScript and and an application that attempt to exploit the flaw: a compiled 60KB AppleScript called ASthtv05 and a 3.1MB application bundle called AStht_v06. The user must download and open either in order to become infected, whereupon the malware moves itself into the /Library/Caches/ folder and adds itself to the System Login Items.
It the runs hidden on the system and can transmit system and user passwords and allow a malicious user complete remote access to the system. It attempts to avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.
Simon Aughton
Don’t they mean that you should *disable* the function?
Also, RM is turned off by default in a Leopard install.