Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
General
GeneralPortable MacsHardwareNetworking
Applications
Mac ApplicationsEudoraFirefox / MozillaInternet ExplorerOutlook ExpressMS OfficeEntourageExcelPowerPointWordVirtual PCMedia PlayerOther MS Products
Programming
Mac ProgrammingCodeWarriorPerl
Country Specific
Australian Mac GroupUK Mac Group

Mac Forum / Applications / Mac Applications / June 2008


Tip: Looking for answers? Try searching our database.

Can someone verify if this Mac OS warning is authentic????

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Dudley Henriques - 19 Jun 2008 19:14 GMT
-------- Original Message --------
Subject:     [Fwd: Major Mac OS X Vulnerability]
Date:     Thu, 19 Jun 2008 13:42:34 -0400
From:     Vivian Hasiuk <hasiuk@physics.upenn.edu>
To:     undisclosed-recipients:;

Vivian, could you please forward this along to the department?  Thanks.
-------- Original Message --------
Subject:     Major Mac OS X Vulnerability
Date:     Thu, 19 Jun 2008 12:25:14 -0400
From:     Christopher M. Leary <learycm@sas.upenn.edu>
To:     hasiuk@physics.upenn.edu
CC:     help@physics.upenn.edu <help@physics.upenn.edu>

---

Hello Everyone,

There has been a major vulnerability found in the screen sharing utility
built into Mac OS X 10.4 and 10.5 which allows root (admin) access to
the attacker.  It is a simple attack to execute and is a very large
vulnerability.  This attack will work even if you do not use or have not
enabled the screen sharing utility.

However, there is an easy fix where we can just remove permissions from
the vulnerable client.

You can fix this by opening up Terminal (hit Apple-Spacebar then type in
Terminal) and pasting in the following command:

sudo chmod -s
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent

After executing the above command it will ask you for your password.
While typing in your password no asterisks will appear, just blank
space.  If the command executed properly it should look like nothing
happened and you can just type exit and hit Apple-Q to quit.

If you have any Mac machines with OS X 10.4 or 10.5 installed and would
like assistance closing this hole please let us know by emailing
"help@physics.upenn.edu" and one of us will come help.
Signature

Christopher M. Leary
IT Support Specialist (IRCS/Perception Psych/Physics)
215.746.2396
http://www.sas.upenn.edu/~learycm

--
Dudley Henriques

Reply to this Message
Gregory Weston - 19 Jun 2008 19:32 GMT
> -------- Original Message --------
> Subject:     [Fwd: Major Mac OS X Vulnerability]
[quoted text clipped - 38 lines]
> like assistance closing this hole please let us know by emailing
> "help@physics.upenn.edu" and one of us will come help.

It's apparently real, but there's some question as to how widespread it
is. I can't reproduce it, but people I've come to consider reliable
sources over several years here can.

Signature

"Harry?" Ron's voice was a mere whisper. "Do you smell something ... burning?"
  - Harry Potter and the Odor of the Phoenix

Reply to this Message
Calum - 19 Jun 2008 20:44 GMT
> It's apparently real, but there's some question as to how widespread it
> is. I can't reproduce it, but people I've come to consider reliable
> sources over several years here can.

Same story here.  We've tried it on about 20 different Macs in our
place, and it's only reproducible on about half of them.  So far, we
haven't deduced any pattern as to which ones are affected and which aren't.
Reply to this Message
Dudley Henriques - 19 Jun 2008 22:17 GMT
> -------- Original Message --------
> Subject:     [Fwd: Major Mac OS X Vulnerability]
[quoted text clipped - 37 lines]
> like assistance closing this hole please let us know by emailing
> "help@physics.upenn.edu" and one of us will come help.

Thanks everyone who replied.

Signature

Dudley Henriques

Reply to this Message
Jolly Roger - 20 Jun 2008 00:06 GMT
> However, there is an easy fix where we can just remove permissions from
> the vulnerable client.
[quoted text clipped - 5 lines]
> /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDA
> gent

I've verified this fixes the problem on several Macs running 10.5.

Signature

Please send all responses to the relevant news group rather than directly
to me, as E-mail sent to this address may be devoured by my very hungry
SPAM filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google Groups.
You'll need to use a real news reader if you want me to see your posts.

JR

Reply to this Message
Matt Broughton - 20 Jun 2008 00:57 GMT
> > However, there is an easy fix where we can just remove permissions from
> > the vulnerable client.
[quoted text clipped - 8 lines]
>
> I've verified this fixes the problem on several Macs running 10.5.

Same experience here -- at least until you repair permissions.  When you
repair permissions, it will revert back to original problem.

Original listing --
-rwsr-xr-x  1 root  wheel  1439952 Nov 15  2007
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS
/ARDAgent

After running the sudo chmod -s --
-rwxr-xr-x  1 root  wheel  1439952 Nov 15  2007
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS
/ARDAgent

After repairing permissions --
-rwsr-xr-x  1 root  wheel  1439952 Nov 15  2007
/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS
/ARDAgent

Signature

Matt Broughton
Only relatives are absolute.

Reply to this Message
Jolly Roger - 20 Jun 2008 01:42 GMT
> > > However, there is an easy fix where we can just remove permissions from
> > > the vulnerable client.
[quoted text clipped - 11 lines]
>
> Same experience here -- at least until you repair permissions.  

No problem for me - I rarely repair permissions.  Repair permissions
simply isn't the magical tool most people think it is.

Signature

Please send all responses to the relevant news group rather than directly
to me, as E-mail sent to this address may be devoured by my very hungry
SPAM filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google Groups.
You'll need to use a real news reader if you want me to see your posts.

JR

Reply to this Message
Megadave - 22 Jun 2008 03:24 GMT
> > > > However, there is an easy fix where we can just remove permissions from
> > > > the vulnerable client.
[quoted text clipped - 16 lines]
> No problem for me - I rarely repair permissions.  Repair permissions
> simply isn't the magical tool most people think it is.

Is there a "downside" to running permissions repair?  I mean, I can see
an issue with doing so on certain home-compiled tools/databases.. but
aside from that..?
Signature

[P]eople
[E]ating
[T]asty
[A]nimals

Reply to this Message
Jolly Roger - 22 Jun 2008 17:16 GMT
> > > > > However, there is an easy fix where we can just remove permissions
> > > > > from
[quoted text clipped - 22 lines]
> an issue with doing so on certain home-compiled tools/databases.. but
> aside from that..?

Repair Permissions has a flaw, in that it does not know how to resolve
the case where multiple receipts list the same file or folder with
differing ownership and permissions. This actually happens fairly
frequently, particularly when more than one software package installs
and uses a shared library or other system resource that happens to be
used by another software package. If there are multiple receipts that
list a file or folder in /private, for instance, and the ownership and
permissions differ between those two receipts, the Repair Permissions
function will encounter the first receipt, change the ownership and
permissions to reflect that receipt, then encounter the second receipt
and change the ownership and permissions to match the second receipt.
This typically manifests itself in Disk Utility's Repair Permissions log
as a file/folder that never seems to be actually repaired.

Signature

Please send all responses to the relevant news group rather than directly
to me, as E-mail sent to this address may be devoured by my very hungry
SPAM filter. Due to Google's refusal to prevent spammers from posting
messages through their servers, I often ignore posts from Google Groups.
You'll need to use a real news reader if you want me to see your posts.

JR

Reply to this Message
Barry Margolin - 20 Jun 2008 02:25 GMT
See the thread "Applescript Vulnerability" in comp.sys.mac.system.

Signature

Barry Margolin, barmar@alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
*** PLEASE don't copy me on replies, I'll read them in the group ***

Reply to this Message
Megadave - 22 Jun 2008 16:20 GMT
The warning is authentic, but based on what I've read and tried on my
own machines someone would have to have physical access to your machine
to execute the exploit it plugs.  So for lab machines I would do this,
but for private machines I do not see the point.
Signature

[P]eople
[E]ating
[T]asty
[A]nimals

Reply to this Message
william mitchell - 23 Jun 2008 14:11 GMT
> The warning is authentic, but based on what I've read and tried on my
> own machines someone would have to have physical access to your machine
> to execute the exploit it plugs.  So for lab machines I would do this,
> but for private machines I do not see the point.

One reason for doing so is that leaving the vulerability means that
anyone who manages to break into a user account could easily escalate
to root.
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.