=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN354
_____________________________________________________________________

DATE                      : 17/09/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Mac OS 10.x running Apple Remote Desktop
                                       versions prior to 3.2.2.

======================================================================
http://support.apple.com/kb/HT3145
______________________________________________________________________

APPLE-SA-2008-09-16 Apple Remote Desktop 3.2.2

Apple Remote Desktop 3.2.2 is now available and addresses the
following issue:

Apple Remote Desktop
CVE-ID:  CVE-2008-2830
Available for:  Apple Remote Desktop 3.2.1,
Mac OS X v10.3 through v10.5.5, Mac OS X Server v10.3 through v10.5.5
Impact:  A local user may execute commands with elevated privileges
unless Security Update 2008-005 has been installed
Description:  A design issue exists in the Open Scripting
Architecture libraries when determining whether to load scripting
addition plugins into applications running with elevated privileges.
This update mitigates the issue for Apple Remote Desktop by disabling
scripting of ARDAgent.  This issue does not affect systems that have
installed Security Update 2008-005.  Credit to Charles Srstka for
reporting this issue.

Apple Remote Desktop 3.2.2 may be obtained from the Software Update
pane in System Preferences, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/

For Apple Remote Desktop 3.2.2 Client
The download file is named:  "RemoteDesktopClient.dmg"
Its SHA-1 digest is:  b1a81f17724d9b2f7b6dbffed56bc9a0463d1d7e

For Apple Remote Desktop 3.2.2 Admin
The download file is named:  "RemoteDesktopAdmin322.dmg"
Its SHA-1 digest is:  d9657c10ed4bc29cfe8cc64e0727ffd4ed8a1425

Information will also be posted to the Apple Security Updates
web site:  http://support.apple.com/kb/HT1222

This message is signed with Apple's Product Security PGP key,
and details are available at:
http://www.apple.com/support/security/pgp/

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================