Unsafe permissions assignment on Apple's Remote Desktop
Apple has released a security advisory and updates for its Remote Desktop. The Remote Desktop admin server sets less restrictive rights for packages used for installation and upgrade on client systems. Local users on the Remote Desktop admin system could use this to manipulate such packages and thereby execute commands with root rights on the client systems, insofar as clients are installed or updated.
The bug affects Remote Desktop version 3.0. Apple is providing updated packages of version 3.1 for download. These should be installed by administrators of Remote Desktop admin servers if other users have access to those computers.
- About the security content of Apple Remote Desktop 3.1, security advisory from Apple
- Download of Remote Desktop Servers 3.1
- Download of Remote Desktop Client 3.1