If you’re using Arq on a Mac, please download and run the 5.10 installer to get an update that fixes a security vulnerability (see details below).
- Click this link to download the installer DMG: Arq 5.10
- Double-click the DMG file to open it.
- Double-click the Arq icon in the DMG file to install.
Arq for Mac Vulnerabilities Fixed
Mark Wadham (thank you Mark for all your help identifying and helping to resolve this!) identified a vulnerability in Arq 5 for Mac where an attacker could become “root” user. The issue was the way Arq applied the set-user-ID-on-execution bit to helper apps (for auto-updating, backup using administrator privileges, and restoring). The affected helper apps were arq_updater (for auto-update), arqcommitter (for backing up) and standardrestorer, arqglacierrestorer and arqs3glacierrestorer (for restoring). The fix for this issue is implemented in Arq 5.10:
- When you double-click the Arq icon in the DMG, Arq copies itself to /Applications and sets the permissions on the application bundle to prevent non-root users from modifying it.
- Arq will only set the set-user-ID-on-execution bit on the helper apps if the Arq app bundle is installed in /Applications.