This document describes the security content of Apple Remote Desktop 3.1, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Apple Remote Desktop
CVE-ID: CVE-2006-4413
Available for: Apple Remote Desktop 3.0
Impact: Malicious local users may be able to modify packages used to install or upgrade client systems
Description: Apple Remote Desktop includes built-in packages used to install and upgrade client systems. The permissions on these packages could allow them to be altered by malicious local users on Apple Remote Desktop admin systems. This could lead to the execution of arbitrary commands with root privileges on client systems when Apple Remote Desktop client software is installed or upgraded. This issue has been addressed by applying more restrictive permissions on the built-in installation packages. Credit to Andrew Mortensen of the University of Michigan for reporting this issue.