Apple on Wednesday posted
Security Update 2004-10-27. Also available for download through the Software Update system preference pane, the update “delivers a number of security enhancements and is recommended for all Macintosh users,” according to Apple. The release includes an updated version of Apple Remote Desktop v1.2.4 running on Mac OS X v10.3.
The problem only affects Macs running Mac OS X v10.3 and Apple Remote Desktop v1.2.4, where:
A user on the client system has been enabled with the Open and quit applications privilege;
The username and password of the Apple Remote Desktop user is known;
Fast user switching has been enabled;
and a user is logged in, and loginwindow is active via Fast User Switching;
“If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application would run as root behind the loginwindow,” explained Apple in detailed technical information available from their Web site. “This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X 10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue.”