ARDAgent.app Still Vulnerable


When Apple pushed their most recent security update, the first thing we checked was whether the ARDAgent issue was fixed. It’s not. This vulnerability lets anyone execute code as a privileged user and versions of this attack have already been found in the wild. While several Ruby, SMB, and WebKit issues were addressed it, ARDAgent is still unpatched. [Dino Dai Zovi] has published the method by which ARDAgent actually becomes vulnerable: when it starts, it installs its own Apple Event handlers and calls AESetInteractionAllowed() with kAEInteractWithSelf. This should restrict it only to its own events, but for some reason that’s not the resulting behavior. He also pointed out that SecurityAgent has displayed similar weirdness; it is vulnerable to Apple Events even though it doesn’t calls an Apple Events function. We can see how this unexpected behavior could make patch development take much longer and may end up uncovering an even bigger problem. Check out [Dino]’s post for more information.

One thought on “ARDAgent.app Still Vulnerable

  1. MAC;PC? Whats the difference? Steve and Bill should have been nicer to the public.for their greediness
    every one must suffer. I hope they both burn.%)
    BURN! BABY BURN! OPEN SOURCE!!
    Even the hackers quit!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.