Don’t Use chmod To Block Mac OS X ARDAgent Vulnerability

By Rich | June 26, 2008

Just a quick note- if you used chmod to change the permissions of ARDAgent to block the privilege escalation vulnerability being used by the new trojans you should still go compress or remove it. Repairing permissions restores ARDAgent and opens the vulnerability again.

I suppose you could also make sure you don’t repair permissions, but it’s easiest to just remove it.

I removed the chmod recommendation from the TidBITS article.

3 Comments

r
rmogull 2008-06-26
Just running ARDAgent closes a bunch of the ways this can be exploited. Other than that, you'‘ll need to wait for a patch. Again, this is a really low risk vulenrability.
D
Dave Ely 2008-06-26
I am somewhat surprised that so few people are using Martin Kou's approach which seems a lot more useful. <a href="http://martinkou.blogspot.com/2008/06/how-to-properly-fix-mac-os-x-ardagent.html" rel="nofollow ugc">http://martinkou.blogspot.com/2008/06/how-to-properly-fix-mac-os-x-ardagent.html</a> The idea is to make ARDAgent pay attention to it's dictionary, which is empty so far as I can tell. There may yet be a hole in there, but its no longer able to run arbitrary shell scripts.
J
Johnny Tolliver 2008-06-25
What about those of us who work in an IT environment in which we are *required* to run ARD?