IFRANCISCO  Actually, we pretty much don't care if people put our work down :P, and I'm not saying you were doing that either, my issue with your comments was that they diverged from reality and may have confused some of the people researching this topic. The fact remains, the ARDAgent exploit exists whether you use ARD or not, and actually, we provide both options to the users, in the form of an advanced option that removes the setuid bit from ARDAgent, effectively disabling the exploit *as well as* disabling Apple Remote Desktop Admin - which will *not* start unless that setuid bit exists.  
(Version 1.2)

IFRANCISCO  Unfortunately, quite a few people have, and when they tell ARDAgent to "do shell script 'whoami'" it returns "root". All the reasoning and arguing in the world will not change the fact that this has happened and will continue to happen until Apple fixes it, let me refer you to a few choice websites explaining this issue, many include user feedback proving that this exploit does indeed exist.

http://blog.washingtonpost.com/securityfix/2008/06/serious_security_vulnerabilty_1.html

http://www.frsirt.com/english/advisories/2008/1905

http://www.macworld.com/article/134165/2008/06/ardagent.html?t=

http://secunia.com/advisories/30776/

http://it.slashdot.org/it/08/06/18/1919224.shtml

I don't understand why you find it necessary to argue that this exploit does not exist. Do you think we would have spent hours during the last few days working on a *free* patch if the exploit didn't exist?

Regardless, if you feel that you have implemented adequate security measures on your end, nobody is forcing you to use this tool.  
(Version 1.2)

IFRANCISCO  Version 1.2 has been released which addresses the crash-on-start issue on Tiger, thanks for all your feedback on this!  
(Version 1.2)

IFRANCISCO  We have received your crash reports, and thanks to your feedback, we've fixed the crash-on-start problem on Tiger. Expect an update later today addressing this issue.

Thanks!  
(Version 1.1)

IFRANCISCO  ARDAgent does not need to be running, osascript calls the ARDAgent executable, which has root:wheel and S_ISUID, and tells it to execute a command of some sort.

The ARDAgent applescript dictionaries contain the "do shell script" command, and quite simply put, if you take a mac out of the box, and use osascript to tell ARDAgent to run a shell script, it *will* run a shell script with root privelages. If you tell ARDAgent to run whoami and it returns "root", then you are *not* safe, but if you get an error, it means your ARDAgent has been restricted to the default applescript dictionaries via the NSAppleScriptEnabled flag, and you are safe. This could be due to 1 of 2 reasons, either Remote Management is enabled, or you have the NSAppleScriptEnabled flag set to YES in ARDAgent.app's Info.plist. Either way, good for you, but millions of Macs out there *do* return "root", and thats enough to prove that they are vulnerable to a local attack vector.

If you would like to discuss this further with me please email me at yousef AT ifrancis DOT net

Regards,

Youssef Francis  
(Version 1.0)

IFRANCISCO  Actually peter, thats not true, the method of exploiting ARDAgent involves giving it a "do shell script" command locally. This means any malicious app can effectively compromise your machine without your knowledge, and without asking for an administrator password. I suggest reading the article on the exploit at macworld.com as it will explain the problem more clearly.  
(Version 1.0)

IFRANCISCO  You're absolutely right, sorry about that!

No, this does not disable ARD, nor does it force-enable remote management. It basically tricks ARDAgent into thinking that remote management *is* enabled even when its not, and more importantly, it forces ARDAgent to use the default applescript dictionaries, which don't include the "do shell script" command.  
(Version 1.0)