News 

Fortunately, it Intego says that security hole is easily closed by simply enabling Remote Management in the Sharing preferences. Once this setting is activated, any exploit will not function.

The vulnerability takes advantage of the fact that Remote Management's

ADVERTISEMENT

ARDAgent component is owned by root, so running code via the ARDAgent executable runs this code as root, without requiring a password. The exploit in question depends on ARDAgent's ability to run AppleScripts, which may, in turn, include shell script commands.

SecureMac is reporting that it has already discovered both an AppleScript and and an application that attempt to exploit the flaw: a compiled 60KB AppleScript called ASthtv05 and a 3.1MB application bundle called AStht_v06. The user must download and open either in order to become infected, whereupon the malware moves itself into the /Library/Caches/ folder and adds itself to the System Login Items.

It the runs hidden on the system and can transmit system and user passwords and allow a malicious user complete remote access to the system. It attempts to avoid detection by opening ports in the firewall and turning off system logging. Additionally, the AppleScript.THT Trojan can log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing.