Apple Remote Desktop update fixes VNC security problem
Apple has released version 3.6.1 of its Apple Remote Desktop (ARD) application for remotely managing Mac OS X systems to fix an information disclosure vulnerability. According to Apple, the security update addresses a serious problem when connecting to third-party VNC servers that may result in data not being encrypted when the "Encrypt all network data" setting is enabled. Additionally, when this happens no warning is produced to alert users that their connection may be insecure.
Apple Remote Desktop 3.6.1 addresses this problem by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. If this is not possible, ARD will prevent the connection. Versions 3.5.2 up to and including 3.6.0 are affected; ARD 3.5.1 and earlier are not vulnerable. Non-security related changes include better support for systems with more than one display, faster launch speed when long computer lists are present and fixes that improve ARD's overall stability.
Apple Remote Desktop 3.6.1 requires Mac OS X 10.7 Lion or later, and is available to download from the company's Support web site. Alternatively, existing users can install the update using the built-in Software Update mechanisms.
- About the security content of Apple Remote Desktop 3.6.1, security advisory from Apple.