No password required
I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.
If you couple this with say, a drive by browser exploit, then you have a *serious* problem.
I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.
- Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
- Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
- Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
- Feast your PUNY eyes on highest resolution phone display EVER
- Wall St's DROOLING as Twitter GULPS DOWN analytics firm Gnip