Apple fixes VNC security problem in Remote Desktop 3.5
Late Monday, Apple released an update to the 3.5.x branch of its Apple Remote Desktop (ARD) administration application to close a known security hole. Version 3.5.3 of the desktop management solution for remotely managing Mac OS X systems corrects an information disclosure vulnerability (CVE-2012-0681) when connecting to third-party VNC servers which could result in data not being encrypted when the "Encrypt all network data" setting is enabled. When this happens, no warning is presented to alert users that the connection could be insecure.
The same problem was already resolved in the 3.6 branch of ARD with the release of version 3.6.1 at the end of August. However, ARD 3.6.x is only available for systems running Mac OS X 10.7 Lion or later, whereas the ARD 3.5 still supports the older 10.6 Snow Leopard release of Mac OS X. As with ARD 3.6.1, the 3.5.3 update corrects the problem by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. When this is not possible, the connection is prevented. According to Apple, only version 3.5.2 of ARD was affected by the problem; Apple Remote Desktop 3.5.1 and earlier are not vulnerable.
- About the security content of Apple Remote Desktop 3.5.3, security advisory from Apple.