Apple fixes VNC security problem in Remote Desktop 3.5

Apple fixes VNC security problem in Remote Desktop 3.5.

Apple Remote Desktop logoLate Monday, Apple released an update to the 3.5.x branch of itsApple Remote Desktop (ARD) administration application to close a known security hole. Version 3.5.3 of the desktop management solution for remotely managing Mac OS X systems corrects an information disclosure vulnerability (CVE-2012-0681) when connecting to third-party VNC servers which could result in data not being encrypted when the “Encrypt all network data” setting is enabled. When this happens, no warning is presented to alert users that the connection could be insecure.

The same problem was already resolved in the 3.6 branch of ARD with the release of version 3.6.1 at the end of August. However, ARD 3.6.x is only available for systems running Mac OS X 10.7 Lion or later, whereas the ARD 3.5 still supports the older 10.6 Snow Leopard release of Mac OS X. As with ARD 3.6.1, the 3.5.3 update corrects the problem by creating an SSH tunnel for the VNC connection when “Encrypt all network data” is set. When this is not possible, the connection is prevented. According to Apple, only version 3.5.2 of ARD was affected by the problem; Apple Remote Desktop 3.5.1 and earlier are not vulnerable.

Version 3.5.3 of Apple Remote Desktop is available to download from Apple’s support web site; existing users can install the update using the built-in Software Update mechanisms.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s