About the security content of Apple Remote Desktop 3.2.2
This document describes the security content of Apple Remote Desktop 3.2.2, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.
For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.
For information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."
Where possible, CVE IDs are used to reference the vulnerabilities for further information.
To learn about other Security Updates, see "Apple Security Updates."
Apple Remote Desktop 3.2.2
Apple Remote Desktop
CVE-ID: CVE-2008-2830
Available for: Apple Remote Desktop 3.2.1, Mac OS X v10.3 through v10.5.5, Mac OS X Server v10.3 through v10.5.5
Impact: A local user may execute commands with elevated privileges unless Security Update 2008-005 has been installed
Description: A design issue exists in the Open Scripting Architecture libraries when determining whether to load scripting addition plugins into applications running with elevated privileges. This update mitigates the issue for Apple Remote Desktop by disabling scripting of ARDAgent. This issue does not affect systems that have applied Security Update 2008-005. Credit to Charles Srstka for reporting this issue.