(6)
Your rating: Now say why...
- Download Now
156 KB -
Visit Developer's Site
Youssef Francis and Pepijn Oomen
ARD Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5.
Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.
ARD Patcher is a small application that will patch the exploit,
Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.
ARD Patcher is a small application that will patch the exploit,
What's New
Version 1.2: fixes crash-on-start issue on Tiger, added check for partial vulnerability
Version 1.1: added advanced option to disable ARD all together.
Requirements
PPC / Intel, Mac OS X 10.4 or later.
PPC / Intel, Mac OS X 10.4 or later.
Be the first to recommend a similar software title.
ARD Patcher User Discussion (Write a Review)
Overall:
(6)
(6)
Displaying 1-10 of 11
-
-
-
ARD Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5.
Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.
ARD Patcher is a small application that will patch the exploit, free-of-charge, as in reality its a simple patch that Apple will surely fix in an upcoming update. Getting an antivirus program is overkill in this situation, despite what all those companies will tell you. Note: This does *not* disable Apple Remote Desktop, unlike some of the other fixes circulating around the internet, this one will neither require disabling ARD nor enabling remote management.
Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.
ARD Patcher is a small application that will patch the exploit, free-of-charge, as in reality its a simple patch that Apple will surely fix in an upcoming update. Getting an antivirus program is overkill in this situation, despite what all those companies will tell you. Note: This does *not* disable Apple Remote Desktop, unlike some of the other fixes circulating around the internet, this one will neither require disabling ARD nor enabling remote management.
Copyright © 2012 MacUpdate LLC
- -
I had my Gmail account linked to the Mail app, once upon a time. One fine day, I turned on my MacBook (10.5.8) and the Mail app logged in all of its own accord. I had never set it to do this and attempted to close it. I failed. As soon as the Mail app opened, messages and appointment reminders began cascading down and across my screen as if I'd stumbled into a porn website with vicious pop-up windows, only less interesting. I noticed that the messages and appointment reminders were old (it was an old Gmail address), and they simply kept repeating.
Eventually I managed to get the Mail app uninstalled so that the flurry of messages stopped, but an annoying pop-up window appeared and asked "Where is Mail.app?" I started investigating the processes and noticed that the ARD Agent was continually running. Upon investigating the possibilities, I downloaded the patch, too. The annoying "Where is Mail.app?" message has gone away, too.
Whether or not this is an instance of the trojan horse in the wild, perhaps you can tell me? I uninstalled the ARD program, too, which required "Cut The Rope" timing skills, because every time I killed the process, it would restart in less than two seconds. If I didn't drag the program to the trashcan in that window of time, the laptop wouldn't let me remove it because it was in use.
+12
Wakayama reviewed on 08 Jul 2008
Mind you, they are running a bit low on funds these days, so maybe manpower resources are an issue.
Cheers!
+45
+45
What I got was an error message, no shell script ran. Unless ARDAgent has run, there is no way for osascript to pass the "do shell script" command (or any other command) to the privileged ARDAgent process... because there is no such process for it to pass it to. Either my copy of Tiger is fundamentally different from every other copy of Tiger out there, or there's something else involved in this attack than simply "do shell script".
The ARDAgent applescript dictionaries contain the "do shell script" command, and quite simply put, if you take a mac out of the box, and use osascript to tell ARDAgent to run a shell script, it *will* run a shell script with root privelages. If you tell ARDAgent to run whoami and it returns "root", then you are *not* safe, but if you get an error, it means your ARDAgent has been restricted to the default applescript dictionaries via the NSAppleScriptEnabled flag, and you are safe. This could be due to 1 of 2 reasons, either Remote Management is enabled, or you have the NSAppleScriptEnabled flag set to YES in ARDAgent.app's Info.plist. Either way, good for you, but millions of Macs out there *do* return "root", and thats enough to prove that they are vulnerable to a local attack vector.
If you would like to discuss this further with me please email me at yousef AT ifrancis DOT net
Regards,
Youssef Francis
+45
Until you run ARDAgent, its Applescript dictionaries do not seem to be registered with anything. You don't have to poke around in the .plist and you don't have to start up remote management. I have tested this on my Mac which is, as far as ARD is concerned, taken straight out of the box, and the "do shell script" does NOT run ARDAgent.
If you do not use ARD, then how do you imagine osascript will know how to find ARDAgent?
-12
+406
23:47: execution error: ARDAgent got an error: AppleEvent timed out. (-1712)
+45
http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnerabilty_1.html
http://www.frsirt.com/english/advisories/2008/1905
http://www.macworld.com/article/134165/2008/06/ardagent.html?t=
http://secunia.com/advisories/30776/
http://it.slashdot.org/it/08/06/18/1919224.shtml
I don't understand why you find it necessary to argue that this exploit does not exist. Do you think we would have spent hours during the last few days working on a *free* patch if the exploit didn't exist?
Regardless, if you feel that you have implemented adequate security measures on your end, nobody is forcing you to use this tool.
+406
+12
My macbook pro returned 'root'.
This is exactly as Peter suggested: a box that had never turned on ard is not vulnerable.
that said, many thanks for this app, and I WILL be running it on my other macs, which have all had ard switched on
+45
+45
+26
jdac21 reviewed on 06 Jul 2008
IT WORKS TO WELL
for something so simple
great app lads
thanks jdac21
mswfujowdffyc reviewed on 06 Jul 2008
dstan reviewed on 06 Jul 2008
Many thanks. Cheers.
+5
GrooveMachine reviewed on 06 Jul 2008
+21
It doesn't say what it actually does, but if the program actually disables ARD in an environment it's being used that wouldn't be a good thing to do without knowing first.
No, this does not disable ARD, nor does it force-enable remote management. It basically tricks ARDAgent into thinking that remote management *is* enabled even when its not, and more importantly, it forces ARDAgent to use the default applescript dictionaries, which don't include the "do shell script" command.
+51
tim.dehring reviewed on 05 Jul 2008
Also, forgot to rate the app.
+28
(Can't upgrade to 10.4.11 as we need to keep a Safari 2 test machine around, unfortunately)
+219
I have sent the Crash Report to the developer.
No doubt ARD v1.2 will soon be released (or, so I hope).
Thanks!
+219
Rarely, does a developer respond so promptly, and rarer still when it is freeware.
Five stars from me!
+28