[griffman]

Yes, assuming you download and run an infected program. ARDAgent is a program that is capable of passing AppleScript commands to the host system. So it doesn't matter what you've set up in remote login or screen sharing. About the only thing that matters is Remote Management. With that feature enabled, it seems the ability to pass the AppleScript commands fails.

-rob.

[alansky]

@zensunni:

Trying to make ourselves feel smugly superior for installing anti-virus software way in advance of any compelling need, are we? Whatever turns you on, dude.

[airhead]

griffman, enabling: doesn't that seem more like an easy bug fix that any joe developer could quickly overcome? Suddenly Enabling remote access seems more detrimental than leaving it alone. That seems like opening a new door to a larger group of felons.
Nevertheless I'd have to download this malicious program, from a service from where I'd probably be stealing said program, and launch it. I'd say 99% of people using a Mac are safe.

[griffman]

Well, it's no more of a risk than is enabling File Sharing, Screen Sharing, or Remote Login, all of which are always running on my Mac. Even with it enabled, you haven't enabled any of the privileges, so if they actually got in with Apple Remote Desktop (which is what this item relates to), they wouldn't be able to do anything. Small risk, I think. As for the 99% figure, I'd say that's low. I would venture a guess that well more than 1% of Mac users (and computer users in general) often run programs they got from sources they don't know and trust. But like your figure, that's just a guess.

-rob.

[zensunni]

MacTechAspen said:

Zensunni, are you sure you don't work for a security company? There are plenty of independent sources for testing the efficacy of malware, and not one of them is the DMV or my Mayor. How about Macworld? Or how about gee I don't know, Cert. A company that stands to make a profit off of a report is suspect. I am a professional wine critic, if I worked for a winery would you want to read my reports?

Because I don't jump on the Macolyte bandwagon that rubbishes this report of a Mac trojan and actually believe Mac users should be concerned about viruses, I must be an employee of a security company? Hahah. No, I'm not. I work for a charity, as I've mentioned in other posts quite a few times. And the charity I work for used to have a rubbish anti-virus policy, and a few years ago suffered a week of no email because they suffered from an outbreak of a virus that very quickly replicated across many of the client PCs. So I'm quite aware of what can happen, and how easily it is through social engineering to get people to open things that in retrospect they'd readily admit should've been obvious.

Quote

Anyone can test this minor piece of malware - find a copy and send it to me, I will be happy to (sorry I am not dumb enough to have Limewire installed or to accept iChat invitations from strangers). If you are not connected to the internet it seems pretty simple to keep this bad boy under control.

Amazing, you're not 'dumb enough to have Limewire', but you're naive enough to readily try out what you trivialise as a 'minor piece of malware'? Sorry, but I don't consider any malware that can transmit passwords or log keystrokes to be minor, and, unless you have a purpose-built lab of test computers on a standalone network, I have to wonder about your assertion that you're not 'dumb enough.'

Quote

To say that only security companies have the labs and skills to run tests on an AppleScript is at least disingenuous.

To say that security companies reporting on malware should be ignored as biased is dangerous.

[zensunni]

alansky said:

@zensunni:

Trying to make ourselves feel smugly superior for installing anti-virus software way in advance of any compelling need, are we? Whatever turns you on, dude.

Actually, it's the smugly superior Macolytes who seem to think the free ride we've had for years is going to continue indefinitely who worry me. I certainly don't expect any major outbreak to happen tomorrow or next week or next month, but it will happen. Just like that hard drive in your Mac will fail if you use it long enough, so if your data is important to you, you should be taking regular backups. I find it sad that people seem to find it acceptable to wait for the outbreak to occur before they take any action.

[zensunni]

airhead said:

Nevertheless I'd have to download this malicious program, from a service from where I'd probably be stealing said program, and launch it. I'd say 99% of people using a Mac are safe.

I'd even say you're overestimating the number that will get hit by this. Regardless, if you think about the number of Mac users there are, that's still likely to be a large number.

And there are other ways for something like this to be distributed. Trojans are regularly sent via email using spoofed addresses to make the email appear as if it came from someone you know. Sure, you won't be fooled. But what about you mother? Grandfather? Nephew? Time and again people make the mistake of assuming that because they'd know better than to open that attachment everyone else will know, as well. Time and again people who think that have been proven wrong. It amazes me that people fall to phishing, but enough people obviously do.

[rsfinn]

griffman said:

As noted in the Intego notes, there is an easy (and free) workaround -- go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK. The root exploit will now fail to run. No purchase required, and you should be protected until Apple patches this one.

In my case, when I did this remotely on my desktop machine, it cut off remote access to the desktop (i.e. screen sharing stopped working). Oops. So make sure you know what you want to do first.

[hsmultimedia]

Quote

{quote:title=griffman wrote:}go to your Sharing System Preferences panel, and check the Remote Management box. In the new dialog that appears, don't enable anything, just click OK.{quote}

I don't find any "Remote Management box" in my sharing system prefs. I'm using Tiger 10.4.11 ???

[Ilgaz]

I can understand the legendary clueless about Mac sites like CNET etc. but I don't understand why Macworld didn't bother asking established security companies like Intego, Symantec and Mcafee about this "threat"? You know, like second opinion.
You may get really surprised about the answers you would get especially about credibility of the site you reference.

[Mav]

llgaz: It seems like this time around, SecureMac/Intego are right on this one. Rob Griffiths has independently verified that OS X contains this vulnerability, which apparently affects all user groups given that ARDAgent is owned by root.
A little Saturday security dispatch with some "What You Need to Know" info would be a great help to the rest of the Mac public, Macworld editors!

[Ilgaz]

Oh don't misunderstand, I trust to Intego but I don't trust to the other entity. Besides their PR team, Intego is a good security vendor that really knows how things work.
I noticed Intego takes it very seriously too, than it is a real issue.

[Mav]

Hm. If that's the case, maybe Intego should "reassign" their PR team and let the security team deal with security notifications.

[krystalbird]

However, you don't have to buy anything, you can run it free to test it out.