No password required
I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.
If you couple this with say, a drive by browser exploit, then you have a *serious* problem.
I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.
- iPad is an iFAD: Now we know why Apple went running to IBM
- Apple orders huge MOUNTAIN of 80 MILLION 'Air' iPhone 6s
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Black Hat anti-Tor talk smashed by lawyers' wrecking ball
- +Analysis Microsoft: We're building ONE TRUE WINDOWS to rule us all