No password required
I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.
If you couple this with say, a drive by browser exploit, then you have a *serious* problem.
I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen
- First Irish boy band U2. Now Apple pushes ANOTHER thing into iPhones, iPods, iPads