It’s been more than 10 days since the latest AppleScript.THT Trojan horse for Mac OS X reared its ugly head, yet still no word or fix from Apple. The new threat to versions 10.4 and 10.5 is classified as critical by the SecureMac security site, exploits a hole in the Apple Remote Desktop Agent to completely overtake an infected Mac and delete files and wreak other kinds of havoc. This threat, discovered on June 19, was made public on the SecureMac site a week ago today.
There have been a few rumblings on Apple’s discussion forums, but to date, no official advice from the company. Two others Trojans were reported earlier in June involving an ARDAgent executing code as a root user. In all cases, the offending file must be downloaded and executed.
The threat “is distributed as either a compiled AppleScript, called ASthtv05 (60 KB in size), or as an application bundle called AStht_v06 (3.1 MB in size),” according to the warning. Moving itself to the /Library/Caches folder, it runs hidden, and unless renamed, can be found there as “AStht_06.app.” It also adds itself to the System Login Items, and turns on file sharing, Web sharing and remote login.
In a June 20 posting on his Security Fix blog, Brian Krebs of the Washington Post, explores the threat in detail, and reports of Apple’s apparent lack of concern. And in a post on June 23, Krebs reports of a template that hackers can use to further exploit the vulnerability. It may be less vulnerable than Windows, but Mac OS X is clearly not immune.
What irks me is that virtually any Macintosh made within the last 3 years, and/or running Mac OS X 10.4 or later has had a security vulnerability that allows any user on the system to gain unrestricted root access through a single command. And that's pretty much ANY computer running Tiger -- you don't need to be running Apple Remote Desktop in order to be vulnerable; ARDAgent still runs for some odd reason.
To make matters worse, today security updates were released alongside the 10.5.3 update, and from what I can tell, those updates don't even touch ARDAgent, so we can see how concerned Apple is about this right now. I'm certainly glad I fixed the permissions on ARDAgent myself on all my Macs.
For anyone interested: here's the Terminal command you should run to fix the permissions on ARDAgent. Cleverly, this command takes advantage of ARDAgent's own security vulnerability to perform the fix:
osascript -e 'tell app "ARDAgent" to do shell script "chmod 0555 /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAgent"';