Apple Releases Security Update Affecting Apple Remote Desktop || The Mac Observer

Skip navigational links

Choose text size:

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Apple Releases Security Update Affecting Apple Remote Desktop

Apple Releases Security Update Affecting Apple Remote Desktop

by , 5:05 PM EDT, October 27th, 2004

Apple has released Security Update 2004-10-27 for Mac OS X. The update deals with an issue that makes it possible for applications to be run with root privileges under certain circumstances involving Apple Remote Desktop. Apple's release notes:

Available for: Apple Remote Desktop Client 1.2.4 with Mac OS X 10.3.x

Impact: An application can be started behind the loginwindow and it will run as root.

Description: For a system with these following conditions

Apple Remote Desktop client installed
A user on the client system has been enabled with the Open and quit applications privilege
The username and password of the ARD user is known
Fast user switching has been enabled
A user is logged in, and loginwindow is active via Fast User Switching

If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application would run as root behind the loginwindow. This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X 10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue.

The update is being recommended for all users, though it only effects Apple Remote Desktop. The update weighs in at 832k, and can be found in Software Update, or on Apple's security update page.

Apple's Security Update Page

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/extension.inc) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 108

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/extension.inc' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 108

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/common.) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 110

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/common.' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 110

Warning: include(/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/includes/bbcode.) [function.include]: failed to open stream: No such file or directory in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 112

Warning: include() [function.include]: Failed opening '/usr/local/etc/httpd/sites/macobserver.com/htdocs/forums/includes/bbcode.' for inclusion (include_path='.:/usr/share/php5:/usr/share/php') in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 112

Fatal error: Call to a member function sql_query() on a non-object in /var/www/bbm/macobserver.com/ee2/www/htdocs/comments/comments.php on line 532

Recent Headlines - Updated May 21st

Tue, 2:11 PM: Native Instrument Releases Abbey Road 50s Drummer
12:47 PM: News - Senator Paul: Stop Bullying Apple
10:01 AM: News - AT&T Opening FaceTime Over Cellular to All
9:27 AM: TMO Appearances - Jeff Gamet Talks Apple Taxes on The Mac Show
8:44 AM: News - Google to Merchants: We’re Killing Google Checkout
Mon, 10:50 PM: Mac Geek Gab Podcast - MGG 450: Don’t Play Ding Dong Ditch on an Airplane
7:48 PM: News - Apple Hits Another Record in Retail Dollars Per Visitor
6:50 PM: Analysis - Bipartisan Senators Accuse Apple of Avoiding Billions in U.S. Taxes
5:58 PM: TMO Appearances - Bryan Chaffin Talks About Apple Monday at SVMUG
5:13 PM: Analysis - Apple Asks Congress to Eliminate Tax Loopholes, Lower Corporate Rates
2:55 PM: Quick Look Review - Manage Your Movie Wish List on iPhone with ToDoMovies
2:32 PM: Analysis - Samsung’s Answer to App Developer Interest: We’ll Pay You, Maybe

The Mac Observer Reader Specials

Support TMO, Buy from Amazon, MacMall and The Apple Store

© The Mac Observer, Inc. -- All rights reserved. All information presented on this site is copyrighted by The Mac Observer, Inc. except where otherwise noted. No portion of this site may be copied without express written consent. Other sites are invited to link to any aspect of this site provided that all content is presented in its original form and is not placed within another frame. The Mac Observer is an independent publication and has not been authorized, sponsored, or otherwise approved by Apple, Inc.