Another Security Firm Acknowledges Mac Threats

Since we're on the topic of OS X security now, security firm Intego claims to have found a new vulnerability connected to Remote Management in Mac OS X. The company is also offering a solution (naturally) - its VirusBarrier X5 for Mac OS X 10.5.2 (Leopard).

Intego describes the exploit, "ARDAgent root privilege escalation," as follows:

Description: A vulnerability has been discovered that allows malicious programs to execute code as root when run locally, or via a remote connection, on computers running Mac OS X 10.4 and 10.5. This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable.

Intego notes that, in this case, the ARDAgent is owned by root. Since running code through the ARDAgent executable is done as root, it will not require a password. "When an application enables a root privilege escalation of this type, any malicious code that is run may have devastating effects," Intego warns. The exploit reported by Intego depends on the ability of the ARDAgent to run AppleScripts. This may, in turn, include shell script commands, so "the best way to protect against this exploit is to run Intego VirusBarrier X5 with its virus definitions dated June 19, 2008," says the company.

VirusBarrier X5 is said to perform an action that will deactivate ARDAgent's ability to run AppleScripts. Whether Mac users wish to buy the company's product or not, the security firm recommends that users never download and install software from untrusted sources or questionable websites.

Along with the full, purchasable version of VirusBarrier X5 for Leopard, Intego is also offering a 30-day free trial of the software. Files or volumes may be scanned to detect viruses, but the repair function is de-activated in the trial version. To continue using the program, users will have to buy a $69.95 license from Intego.