6
Thank you for your review
Free
http://www.macupdate.com/download/27947/ardp1.2.zip
Email me when discounted: 
ARD Patcher is a free utility that patches the infamous ARDAgent exploit in Mac OS X 10.4 and 10.5.

Due to an exploit in Apple's Remote Desktop Agent, a new 'trojan horse' has surfaced for Mac OS X; and with it, appeals from Anti-Virus software companies claiming you need to buy a product to protect yourself. The truth: this trojan horse, so far, has not been documented in the wild, and in fact, we find it highly suspicious that multiple Anti-Virus companies have been able to get a hold of it.

ARD Patcher is a small application that will patch the exploit, free-of-charge, as in reality its a simple patch that Apple will more...

What's New

Version 1.2: fixes crash-on-start issue on Tiger, added check for partial vulnerability

Version 1.1: added advanced option to disable ARD all together.

Requirements

Mac OS X 10.4 or later

Similar Software

Open Comparison
Suggest Other Similar Software
Leave a Review

ARD Patcher User Discussion

Nobody has reviewed or commented on this app yet. Add your own comment and get a discussion going!
Sort by: Time | Smiles
Logosamorbos Member IconComment+0
Logosamorbos
+0

I noticed that this said they'd never encountered this in the wild, so I thought I'd post a quick tale of woe here. I'm not sure which program I downloaded which allowed this issue to show up, and I'm still not quite sure if this is the actual issue. Fingers crossed--the patch seems to have taken care of it for now.

I had my Gmail account linked to the Mail app, once upon a time. One fine day, I turned on my MacBook (10.5.8) and the Mail app logged in all of its own accord. I had never set it to do this and attempted to close it. I failed. As soon as the Mail app opened, messages and appointment reminders began cascading down and across my screen as if I'd stumbled into a porn website with vicious pop-up windows, only less interesting. I noticed that the messages and appointment reminders were old (it was an old Gmail address), and they simply kept repeating.

Eventually I managed to get the Mail app uninstalled so that the flurry of messages stopped, but an annoying pop-up window appeared and asked "Where is Mail.app?" I started investigating the processes and noticed that the ARD Agent was continually running. Upon investigating the possibilities, I downloaded the patch, too. The annoying "Where is Mail.app?" message has gone away, too.

Whether or not this is an instance of the trojan horse in the wild, perhaps you can tell me? I uninstalled the ARD program, too, which required "Cut The Rope" timing skills, because every time I killed the process, it would restart in less than two seconds. If I didn't drag the program to the trashcan in that window of time, the laptop wouldn't let me remove it because it was in use.

Reply0 replies
Version 1.2
Wakayama Member IconReview+17
Wakayama
+0

many thanks! Too bad some companies *cough* Apple *cough* can't be as swift with patches.
Mind you, they are running a bit low on funds these days, so maybe manpower resources are an issue.

Cheers!

Reply0 replies
Version 1.2
Jobby Member IconComment+41
Jobby
+0

Runs fine on 10.5 but starts and immediately exits on a 10.4.10 box. Is anyone else having this problem?

(Can't upgrade to 10.4.11 as we need to keep a Safari 2 test machine around, unfortunately)

Reply5 replies
Version 1.1
Harv
+0

On my DP 800,10.4.11, I too am unable to get the app to run. Immediately upon launch, it crashes.

I have sent the Crash Report to the developer.

No doubt ARD v1.2 will soon be released (or, so I hope).

Theiphoneproject (developer)
+0

We have received your crash reports, and thanks to your feedback, we've fixed the crash-on-start problem on Tiger. Expect an update later today addressing this issue.

Thanks!

Theiphoneproject (developer)
+0

Version 1.2 has been released which addresses the crash-on-start issue on Tiger, thanks for all your feedback on this!

Harv
+0

ARD v1.2 now installs normally on my Tiger and I got the green confirmation that the exploit has been patched.

Rarely, does a developer respond so promptly, and rarer still when it is freeware.

Five stars from me!

Jobby
+0

Thanks for the patch - if only big companies would fix things that fast :)

Peter da Silva Member IconComment+94
Peter da Silva
+0

I have not been able to reproduce the ARD attack on my machine. If you do not have ARD enabled, then the ARD component required to launch the attack is not running and accepting Applescript messages.

Reply13 replies
Version 1.0
Theiphoneproject (developer)
+0

Actually peter, thats not true, the method of exploiting ARDAgent involves giving it a "do shell script" command locally. This means any malicious app can effectively compromise your machine without your knowledge, and without asking for an administrator password. I suggest reading the article on the exploit at macworld.com as it will explain the problem more clearly.

Peter da Silva (developer)
+0

Friend, I do understand how it works. I've getting on for 30 years experience with UNIX, and 20 years as a network and security administrator, and I have not only read the original report and article, I've tried several variations of the attack.

What I got was an error message, no shell script ran. Unless ARDAgent has run, there is no way for osascript to pass the "do shell script" command (or any other command) to the privileged ARDAgent process... because there is no such process for it to pass it to. Either my copy of Tiger is fundamentally different from every other copy of Tiger out there, or there's something else involved in this attack than simply "do shell script".

Theiphoneproject (developer)
+0

ARDAgent does not need to be running, osascript calls the ARDAgent executable, which has root:wheel and S_ISUID, and tells it to execute a command of some sort.

The ARDAgent applescript dictionaries contain the "do shell script" command, and quite simply put, if you take a mac out of the box, and use osascript to tell ARDAgent to run a shell script, it *will* run a shell script with root privelages. If you tell ARDAgent to run whoami and it returns "root", then you are *not* safe, but if you get an error, it means your ARDAgent has been restricted to the default applescript dictionaries via the NSAppleScriptEnabled flag, and you are safe. This could be due to 1 of 2 reasons, either Remote Management is enabled, or you have the NSAppleScriptEnabled flag set to YES in ARDAgent.app's Info.plist. Either way, good for you, but millions of Macs out there *do* return "root", and thats enough to prove that they are vulnerable to a local attack vector.

If you would like to discuss this further with me please email me at yousef AT ifrancis DOT net

Regards,
Youssef Francis

Peter da Silva (developer)
+0

I suggest you try it on a Mac taken straight out of the box. Seriously.

Until you run ARDAgent, its Applescript dictionaries do not seem to be registered with anything. You don't have to poke around in the .plist and you don't have to start up remote management. I have tested this on my Mac which is, as far as ARD is concerned, taken straight out of the box, and the "do shell script" does NOT run ARDAgent.

If you do not use ARD, then how do you imagine osascript will know how to find ARDAgent?

Chadcn
+0

The dev is correct, Peter. ARDAgent does not need to be running for the trojan to work. Every source I have read, including the Macworld source linked above, confirms this.

sjk
+0

My experience is similar to Peter's. I've been unable to reproduce this on my 10.4.11 and 10.5.4 systems, even though an ARDAgent process has run and eventually times out:

23:47: execution error: ARDAgent got an error: AppleEvent timed out. (-1712)

Peter da Silva (developer)
+0

I wish people who insist that "the article is correct" would try it.

Theiphoneproject (developer)
+0

Unfortunately, quite a few people have, and when they tell ARDAgent to "do shell script 'whoami'" it returns "root". All the reasoning and arguing in the world will not change the fact that this has happened and will continue to happen until Apple fixes it, let me refer you to a few choice websites explaining this issue, many include user feedback proving that this exploit does indeed exist.

http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnerabilty_1.html
http://www.frsirt.com/english/advisories/2008/1905
http://www.macworld.com/article/134165/2008/06/ardagent.html?t=
http://secunia.com/advisories/30776/
http://it.slashdot.org/it/08/06/18/1919224.shtml

I don't understand why you find it necessary to argue that this exploit does not exist. Do you think we would have spent hours during the last few days working on a *free* patch if the exploit didn't exist?

Regardless, if you feel that you have implemented adequate security measures on your end, nobody is forcing you to use this tool.

sjk
+0

Peter didn't argue that this exploit doesn't exist; he said he hasn't been able to reproduce it on his machine (nor have I on mine). I think his intention was simply to mention why it may not be as widespread of a vulnerability as many people are claiming and believing it is. And he wasn't critical of your tool; nothing in his post even mentioned it.

Wakayama
+0

I've got to say that Peter is spot on here. It so happened that I installed a new tiger system on an old ibook today for someone, and updated it to 10.4.11. Ran the osascript that ifrancisco's link slashdot suggested [osascript -e 'tell app "ARDAgent" to do shell script "whoami"';], and it returned 'Appleevent timed out (-1712)'.
My macbook pro returned 'root'.
This is exactly as Peter suggested: a box that had never turned on ard is not vulnerable.

that said, many thanks for this app, and I WILL be running it on my other macs, which have all had ard switched on

Peter da Silva (developer)
+0

That's precisely correct: I'm not putting your work down, and if your patch allows people to use ARD safely, that's great. If they don't have a need for ARD, though, don't you think it might be possible to remove the registration of ARDAgent's Applescript dictionary so that osascript doesn't use it?

Theiphoneproject (developer)
+0

Actually, we pretty much don't care if people put our work down :P, and I'm not saying you were doing that either, my issue with your comments was that they diverged from reality and may have confused some of the people researching this topic. The fact remains, the ARDAgent exploit exists whether you use ARD or not, and actually, we provide both options to the users, in the form of an advanced option that removes the setuid bit from ARDAgent, effectively disabling the exploit *as well as* disabling Apple Remote Desktop Admin - which will *not* start unless that setuid bit exists.

Peter da Silva (developer)
+0

I think we have pretty well confirmed that the ARD exploit does NOT exist (at least not in Tiger) if you have not run ARDAgent. That's not "counter to reality", that's just the way osascript works... it doesn't go grovelling through the disk looking for programs that might register with Applescript.

velgor242 Member IconComment+49
velgor242
+0

Actually, the description for this utility is a bit off. It DOES enable and require Remote Management. After running the tool, Remote Management was enabled on my system. Disabling it causes ARD Patcher to report I'm no longer secure.

Reply0 replies
Version 1.0
jdac21 Member IconReview+0
jdac21
+0

simple yet significant
IT WORKS TO WELL
for something so simple
great app lads
thanks jdac21

Reply0 replies
Version 1.0
mswfujowdffyc Member IconReview+0
mswfujowdffyc
+0

worked like a charm, in tiger and leopard ppc, thanks for this little tool.

Reply0 replies
Version 1.0
dstan Member IconReview+0
dstan
+0

Great tool! One click, simple enough! Some antivirus companies are charging hundreds for a simple fix like this.

Many thanks. Cheers.

Reply0 replies
Version 1.0
GrooveMachine Member IconReview+8
GrooveMachine
+0

Awesome. As far as I can tell, it worked great. Now I don't have to worry about this said trojan any more. Thanks Francis, you did great.

Reply0 replies
Version 1.0
Turkchgo Member IconComment+26
Turkchgo
+0

Does this "patch" affect the function of Apple Remote Desktop for those who use the program as either a client or admin?

It doesn't say what it actually does, but if the program actually disables ARD in an environment it's being used that wouldn't be a good thing to do without knowing first.

Reply1 reply
Version 1.0
Theiphoneproject (developer)
+0

You're absolutely right, sorry about that!

No, this does not disable ARD, nor does it force-enable remote management. It basically tricks ARDAgent into thinking that remote management *is* enabled even when its not, and more importantly, it forces ARDAgent to use the default applescript dictionaries, which don't include the "do shell script" command.

There are no Ratings for this App yet.
> 5 6

Ratings

Overall
(6)
Current Version (1.x)
(6)

Details

Downloads 4,761
Version Downloads 3,098
License Free
Date 07 Jul 2008
Platform OS X / PPC 32 / Intel 32
Price Free
Learn how MacUpdate Desktop makes installing apps from MacUpdate.com one-click easy.
Next time, install ARD Patcher with 1-click

Learn how MacUpdate Desktop can install apps on MacUpdate with the simple click of the Install apps with MacUpdate Desktop icon. Plus, keep all your apps updated. Play video...