Seems quite funny to me that there are reportedly multiple variants of this trojan discovered in the wild, yet absolutely zero reports of anyone actually being impacted by them. Par for the course with these crying wolf stories.

Who has antivirus running on osX ? Nobody so we don't know how many got infected. Its luckily not a virus, it has to be installed like a regular app. The user has to be targeted, most of us don't need to worry but company's and governments will.

Another virus discovered by a company that markets anti-virus products. Hmmm...I wonder...

.. install and even auth an app caled "AStht_v06" ??
Gee...

This sort of scripting is painfully easy to do especially if the user is running as an admin user. The simple step of running as a non-admin user vastly tightens your security.

Now, the problem is that this little exploit is a problem with the ARD client that allows non admin users to run programs as admin users. This creates a big hole in security and will need to be fixed by Apple ASAP.

We trust it from you, testudo.

Some folks have just recently discovered that, under certain circumstances, a Mac OS X OS component (ARDAgent) enables the local execution of arbitrary code as root. ARDAgent is part of the Apple Remote Desktop remote management framework, and is setuid root. Because of this, and combined with ARDAgent's ability to execute AppleScripts, which in turn allows the execution of shell scripts, arbitrary code can be executed as root by local users with physical access to the system.

This doesn't work unless the same user is logged in to the console as is executing the code; this is obviously the default scenario for a local user, but it also means that it is only a threat remotely if the same user is logged into the local console (via the GUI) as the remote user, and the remote user already has some level of legitimate access to the machine. However, this can be an issue for public and shared systems, whereby users with physical access can become root.

It is important to reiterate that this issue cannot be exploited unless someone has physical access to the system, or has legitimate, existing local access AND the same username is logged into the local console (meaning they already also have legitimate local access). This could also be an issue if a local user downloaded and ran untrusted software (e.g., trojan vector).

** Systems unaffected:

Systems with Remote Management (Apple Remote Desktop) enabled for remote management (in System Preferences -> Sharing) are not affected by this issue. This means managed or server environments already using Apple Remote Desktop are not affected.

** Workaround: Enable Remote Management or Remote Desktop (in System Preferences -> Sharing).

On Mac OS X 10.5.x, you can also select "Allow access for: Only these users:" and leave the field blank, essentially allowing no access. This prevents the issue from occurring.

** Temporary solution for other standalone systems where enabling the Remote Management setting is not desired: Remove setuid from ARDAgent.

sudo chmod u-s /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

For more information, see http://www.macosxhints.com/article.php?story=20080620052233168

Regards,

Dave Schroeder
University of Wisconsin-Madison
das@doit.wisc.edu
http://das.doit.wisc.edu
1 608 265-4737

he's saving us from the millions of malware attacks our Macs are in no danger of falling prey to.

What would we do without his help??!

if testudo said the sky was blue, the forums would ring with the people insulting him. If he had not put his name to it, you would not have reacted. Judge the post not the person. Of course a security firm announced it. It's what they do. If the plumber said "your pipes need fixing" would you be surprised? And immediately disbelieve him?