Didn't take long
As soon as I read about the idiotic decision to have the SUID bit set on the Apple Remote Desktop Agent, it was obvious there would be an exploit for it. This is a massive security hole in OS X and there's not really any way of defending it: A simple shell script can gain root privileges not by exploiting buffer overruns, etc but almost by design!
The Apple Remote Desktop Agent is scriptable and runs all scripts passed to it as root because of the SUID bit: this really is security 101 stuff and it makes you wonder how many other holes exist under the hood of OS X
You can protect yourself from this by unsetting the SUID bit, but if you subsequently run permissions repair on the disk, OS X will "helpfully" put it back for you...
Microsoft have had a lot of (justified) stick for security issues in various versions of Windows, but this is probably the worst security issue I've seen in years, simply because someone has made a concious decision to setup the remote desktop agent in that way
Finally, a few comments on here have tried to defend it by saying it has to be installed by the user: That is the definition of a trojan, and the big difference with this over earlier "trojans" is that the root escalation means it can do what it wants without triggering the secondary authentication that has kept other malware from freely doing what it wants on a Mac.
This will probably hit Macs hard because many Mac users are lax about running downloaded apps because they expect the OS to protect them, and have no additional malware protection on the machine.
And before I get flamed by Mac users trying to defend this, I am a Mac user myself and, as I said at the start, this is simply indefensible
- Infosec geniuses hack a Canon PRINTER and install DOOM
- Boffins say they've got Lithium batteries the wrong way around
- Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
- In a spin: Samsung accuses LG exec of washing machine SABOTAGE
- Game Theory Half a BILLION in the making: Bungie's Destiny reviewed