No password required
I would like to point out to the fanboys that in the case of this exploit, no, you do not have to input your admin password and nor will you be asked for it. The ARD agent is taking an applescript request from a non-privileged user and executing it as ROOT.
If you couple this with say, a drive by browser exploit, then you have a *serious* problem.
I was able to get the exploit to work remotely on my Macs but only with known credentials for a user on the remote machine and of course events must be enabled (not default behaviour), but it is potentially remotely exploitable.
- Pic Forget the $2499 5K iMac – today we reveal Apple's most expensive computer to date
- RUMPY PUMPY: Bone says humans BONED Neanderthals 50,000 years B.C.
- Geek's Guide to Britain Kingston's aviation empire: From industry firsts to Airfix heroes
- Analysis Happy 2nd birthday, Windows 8 and Surface: Anatomy of a disaster
- Review Vulture trails claw across Lenovo's touchy N20p Chromebook