site_archiver@lists.apple.com Delivered-To: security-announce@lists.apple.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 APPLE-SA-2004-10-27 Security Update 2004-10-27 Security Update 2004-10-27 is now available and delivers the following security enhancement for Apple Remote Desktop Client: CVE-ID: CAN-2004-0962 Available for: Apple Remote Desktop Client v1.2.4 with Mac OS X v10.3.x Impact: An application can be started behind the loginwindow and it will run as root Description: For a system with the following pre-conditions: * Apple Remote Desktop client installed * A user on the client system has been enabled with the "Open and quit applications" privilege * The username and password of the ARD user is known * Fast User Switching has been enabled * A user is logged in, and loginwindow is active via Fast User Switching If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application will run as root behind the loginwindow. This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X v10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue. Security Update 2004-10-27 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/ The download file is named: "SecurityUpdate2004-10-27.dmg" Its SHA-1 digest is: 6f74180d4144affd3630e8824bff778ac39655e7 Information will also be posted to the Apple Product Security web site: http://www.apple.com/support/security/security_updates.html This message is signed with Apple's Product Security PGP key, and details are available at: http://www.apple.com/support/security/security_pgp.html -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQEVAwUBQX//jZyw5owIz4TQAQKitwf+IQ3dtQquGBWVPAew/3+CYHmL121zldZ9 2qlMn4zk66/hu9ecTHi0JLjI6sYS2jcYlIt5lxdHXAm1yt6LVdsgfCwLXu0ZnrgL ygoPtr39KDX0YFPomkQVz2ZGptJs4zFsfnLUfi61pegLvicMKy+Zc1Cpzdba+rL5 39ZsZFMnWn6XJqwhJs3zlcXhkH3ggPmG7r6bWLmiRGY6EUaMRFyyCfphoTcSZSiC 81tDpryCJk2X/Ncv4g8tXlDqzjpJMRSslM9a1WFGXx+6Vd7FUz4UfC7ATYggodBU QvYHKEkVQSH9efMDHJBk6F50WQpLvPoTA1fW3RLl54eEQlileuBgoA== =2G/h -----END PGP SIGNATURE----- _______________________________________________ Do not post admin requests to the list. They will be ignored. Security-announce mailing list (Security-announce@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/security-announce/site_archiver%40lis... This email sent to site_archiver@lists.apple.com