updated 05:55 pm EDT, Wed October 25, 2006
Internet security and privacy firm Intego has released a security memo regarding a proof-of-concept exploit (site not updated), Inqtana.d Bluetooth, which provides attackers with a root account on affected Macs. The exploit, which has not yet been seen in the wild and is unable to compromise up-to-date installations of Mac OS X, is installed on a Mac OS X system via Bluetooth from a computer or PDA running Linux. Mac OS X 10.3 and Mac OS X 10.4 systems that are not up to date with Apple's latest security fixes are vulnerable, and Bluetooth must be active. Bluetooth file transfer need not be enabled, however, and the attacking computer must be within Bluetooth range. "This exploit is installed from a Linux system, and exploits an rfcomm security hole in Bluetooth software. Unlike previous versions of Inqtana malware, no user interaction is required."
"It installs a user account (named 'bluetooth'), with no password, which grants root access to malicious users logging into this account. This account is available immediately, and the Mac OS X 10.4 computers do not need to be restarted (Macs running Mac OS X 10.3 do need to be restarted)."
The exploit installs a number of files on computers it attacks, and the user account it installs contains a backdoor that allows malicious users to log into that account via Ethernet or AirPort network access. Once the exploit is installed, Bluetooth is no longer required to take advantage of it, according to Intego. Apple's Security Update 2005-005 protects against the vulnerability for Mac OS X 10.3 systems, while Mac OS X 10.4.7 guards against the vulnerability running Mac OS X Tiger.