Fix the latest OS X “vulnerability”

Update: Looks like we posted too soon. As commenters at TUAW pointed out, the workaround is not 100% foolproof. If someone is logged in via SSH under the same user name as the logged in user, it is possible that they can kill the ARDAgent process and run the script before ARDAgent reloads. While this requires additional finagling and timing and is an unlikely scenario for most users, please be aware that the issue is still unresolved. If you don’t plan on using remote desktop at all with your Mac, you can archive and remove ARDAgent.app, which will rid your system of the program that can open up the vulnerability.

Yesterday, an anonymous Slashdotter posted about a security vulnerability in Mac OS X 10.4 and 10.5 that could allow a maicious party root access to your system. The vulnerability, which works by running an AppleScript on behalf of Apple Remote Desktop Agent, which because of the way ARDAgent works, sets the user ID to root. From there, any subprocesses are running with root privileges, without requiring a user password, and in the wrong hands, the results could be very, very messy.

Taking into consideration that several additional factors would have to be involved in order for any damage to unfold — either physical access to the machine or a remote login under the same account that is currently in use or the end user would have to willingly run a malicious application — this is still disconcerting enough for us to want a quick and effective resolution.

Luckily, there is a very easy way to protect your system from being affected. It turns out, if remote access is enabled under the Sharing pane in System Preferences — even if no other users are permitted to administer or access your machine — you’re in the clear.

TUAW has a visual walkthrough on how to apply this workaround for both Tiger and Leopard users, but the fix is pretty simple. In Leopard, simple enable Remote Management feature in the Sharing panel, don’t select any of the options and then select “apply to only these users” without defining any users. Now, if the potentially damaging script is run, your system will report an error instead of setting itself as root. Plus, if you do have a system that is managed remotely, that person can still acess your computer (just make sure they are listed in the “allowed users” panel).

If only all security threats were that easy to fix!

Thanks Mike, Robert and Scott!