Didn't take long
As soon as I read about the idiotic decision to have the SUID bit set on the Apple Remote Desktop Agent, it was obvious there would be an exploit for it. This is a massive security hole in OS X and there's not really any way of defending it: A simple shell script can gain root privileges not by exploiting buffer overruns, etc but almost by design!
The Apple Remote Desktop Agent is scriptable and runs all scripts passed to it as root because of the SUID bit: this really is security 101 stuff and it makes you wonder how many other holes exist under the hood of OS X
You can protect yourself from this by unsetting the SUID bit, but if you subsequently run permissions repair on the disk, OS X will "helpfully" put it back for you...
Microsoft have had a lot of (justified) stick for security issues in various versions of Windows, but this is probably the worst security issue I've seen in years, simply because someone has made a concious decision to setup the remote desktop agent in that way
Finally, a few comments on here have tried to defend it by saying it has to be installed by the user: That is the definition of a trojan, and the big difference with this over earlier "trojans" is that the root escalation means it can do what it wants without triggering the secondary authentication that has kept other malware from freely doing what it wants on a Mac.
This will probably hit Macs hard because many Mac users are lax about running downloaded apps because they expect the OS to protect them, and have no additional malware protection on the machine.
And before I get flamed by Mac users trying to defend this, I am a Mac user myself and, as I said at the start, this is simply indefensible
- Put down that Oracle database patch: It could cost $23,000 per CPU
- The END of the FONDLESLAB KINGS? Apple and Samsung have reason to FEAR
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices
- DAYS from end of life as we know it: Boffins tell of solar storm near-miss
- Bose decides today IS F*** With Dre Day: Beats sued in patent spat