Login  |  Register  |  Contact

Don’t Use chmod To Block Mac OS X ARDAgent Vulnerability

Just a quick note- if you used chmod to change the permissions of ARDAgent to block the privilege escalation vulnerability being used by the new trojans you should still go compress or remove it. Repairing permissions restores ARDAgent and opens the vulnerability again.

I suppose you could also make sure you don't repair permissions, but it's easiest to just remove it.

I removed the chmod recommendation from the TidBITS article.

—Rich

Posted at Thursday 26th June 2008 2:02 am Filed under: applegeekvulnerabilities

Previous entry: Network Security Podcast, Episode 109 | | Next entry: Let's Start At The Very Beginning

Comments:

If you like to leave comments, and aren't a spammer, register for the site and email us at info@securosis.com and we'll turn off moderation for your account.

By Johnny Tolliver  on  06/25  at  10:55 PM

What about those of us who work in an IT environment in which we are *required* to run ARD?

By rmogull  on  06/25  at  11:03 PM

Just running ARDAgent closes a bunch of the ways this can be exploited. Other than that, you’‘ll need to wait for a patch. Again, this is a really low risk vulenrability.

By Dave Ely  on  06/26  at  04:41 AM

I am somewhat surprised that so few people are using Martin Kou’s approach which seems a lot more useful.

<a href="http://martinkou.blogspot.com/2008/06/how-to-properly-fix-mac-os-x-ardagent.html" rel="nofollow">http://martinkou.blogspot.com/2008/06/how-to-properly-fix-mac-os-x-ardagent.html</a>

The idea is to make ARDAgent pay attention to it’s dictionary, which is empty so far as I can tell.
There may yet be a hole in there, but its no longer able to run arbitrary shell scripts.

Page 1 of 1 pages

Name:

Email:

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: