Under The Hood: The ARDAgent Vulnerability

We recently wrote about a critical threat to Mac OS X which allows malicious programs to execute code as root when run locally, or via a remote connection, on computers running Mac OS X 10.4 and 10.5. This vulnerability exploits a flaw in ARDAgent, an application that allows remote users to legitimately control Macs using Apple Remote Desktop software. (This is used in schools, labs and businesses by administrators who manage multiple Macs.) Rob Griffiths, writing at Macworld, gives an under-the-hood look at exactly how this vulnerability works and what the implications are.

We’re still waiting for word from Apple about this vulnerability, which has been universally criticized, and which remains a critical threat. In the meantime, Intego VirusBarrier has updated its virus definitions several times to protect against Trojan horses that exploit this flaw. Keep your copy of VirusBarrier up to date so you can ensure your Mac is protected.

Javascript Vulnerability in Adobe Acrobat; Again

Adobe has released a security update for Acrobat Reader and Acrobat Professional, for all platforms, versions 8.0 through 8.1.2 and versions 7.09 and earlier. As the Adobe security advisory says, “A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.”

But this is yet another Javascript vulnerability in Acrobat, and security researchers are questioning why this happens so often. Andrew Storms, director of security operations at nCircle Network Security, quoted on Computerworld , said, “With this many JavaScript bugs in Acrobat, one begins to ask questions. Why would a full, thick application like Acrobat need to be using JavaScript, especially when JavaScript in the browser has historically been a target for hackers? And since JavaScript has been a target for so many years, why hasn’t Adobe flushed out these vulnerabilities already?”

It’s true that Acrobat is regularly updated for security reasons; perhaps more so than it should be. But with PDFs offering more advanced features (such as links to websites), it’s probably no surprise that vulnerabilities are being turned up.

Mac users certainly don’t need to use Acrobat, since Preview, the tool included with Mac OS X, performs most of the actions that one needs when viewing PDFs. However, Acrobat Pro is needed for advanced PDF creation. While Mac OS X can create PDFs from any document, there are few options available to refine and slim these files.

So if you use Acrobat, make sure to download this latest update. With the ease at which people download and open PDF files from the web, this is one program that you want to be sure of.

Can Snow Leopard Save Mac OS X From Malware?

Dino Dai Zovi has written an article at ZDNet discussing last week’s discovery of a critical threat to Mac OS X, and another announcement of a Trojan horse exploiting this discovery. He suggests that Snow Leopard, or Mac OS X 10.6, should integrate more robust means of preventing malware attacks. Some of the suggestions he has include mandatory code-signing for kernel extensions (so only certified kernel extensions can run), sandbox policies for Safari, Mail, and third-party applications (so these applications cannot do anything to the system), and some lower-level changes, such as hardware-enforced Non-eXecutable memory and address space layout randomization.

While these are all good ideas, they don’t address one of the main problems: the user. The current ARDAgent vulnerability affects a Mac OS X system when a user launches a Trojan horse. Address space layout randomization won’t change this; users will always download and launch files. But ensuring that the system doesn’t allow such things to do damage without serious warnings would protect users from many possible dangers. Snow Leopard will clearly be addressing some of the more serious security issues in Mac OS X, as Apple is using this version of its operating system to attempt to gain a foothold in the enterprise market. (The presence of Microsoft Exchange support shows that Apple wants more enterprise presence.) But in the meantime, users need to be protected from malware, and need solid, reliable software such as Intego VirusBarrier to ensure that when they do launch a file they’ve downloaded, it won’t do damage.

Should You Worry about Smartphone Malware?

More and more people are using smartphones, such as Apple’s iPhone, but also the Blackberry, Palm Treo and other devices. Many of these phones’ users don’t realize that these devices are computers; they’re not just mobile communication devices, but more and more they do the same things as computers. You can surf the web, run applications, edit documents, send and receive e-mail; you can do all the things you’d do on a desktop or laptop computer.

In an article published by Macworld, from its sister publication Network World, John Cox asks the question. Should people - especially those in the enterprise - worry about smartphone viruses? Current smartphone viruses, of which there are few, can propagate via Bluetooth, sending themselves to many devices automatically, and others can spread via MMS. While this vector is a threat, it has been contained so far. But a larger issue is the type of threat that can come from browsing the web, as cross-site scripting vulnerabilities are discovered almost daily.

No malware has yet targeted the iPhone, but it is no more immune from such threats than any other platform or device. If anything, the fact that the iPhone runs on Mac OS X makes it more vulnerable, since hackers are becoming familiar with the platform and are learning how to sneak past its defenses, as we have seen recently.

So while there’s no need to worry yet, there’s a good chance that malware will be a major source of worry for smartphone users in the near future. Smartphone users should work with the same level of security as computer users. No device is immune.

New Mac OS X Trojan Horse PokerStealer

Intego today released a security memo about a new Mac OS X Trojan horse, OSX.Trojan.PokerStealer. The Trojan horse, when run, activates ssh on the Mac on which it is running, then sends the user name and password hash, along with the IP address of the Mac, to a server. It asks for an administrator’s password after displaying a dialog saying, “A corrupt preference file has been detected and must be repaired.” Entering the administrator’s password enables the program to accomplish its tasks. After gaining ssh access to a Mac, malicious users can attempt to take control of them, delete files, damage the operating system, or much more.

Read the full security memo here.

New Critical Threat to Mac OS X

A vulnerability has been discovered that allows malicious programs to execute code as root when run locally, or via a remote connection, on computers running Mac OS X 10.4 and 10.5. This vulnerability takes advantage of the fact that ARDAgent, a part of the Remote Management component of Mac OS X 10.4 and 10.5, has a setuid bit set. Any user running such an executable gains the privileges of the user who owns that executable. In this case, ARDAgent is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent’s ability to run AppleScripts, which may, in turn, include shell script commands.

Read the rest of Intego’s Security Alert here.