Apple patched a vulnerability in its remote desktop product where the connection isn’t being encrypted correctly. This may result in information disclosure, Apple said in its advisory.
Even if the user had “Encrypt all network data” selected, connecting to athird-party VNC server may result in “information disclosure” because data is not encrypted, according to a security advisory posted on the Apple website Aug. 20. The vulnerability does not affect Remote Desktop versions 3.5.1 and earlier, and version 3.6.1 is now available from the Mac App Store or Apple’s Software Update Pane, or Apple’s Software Downloads web site.
[The download file is named “RemoteDesktopAdmin361.dmg” and its SHA-1 digest is: dd41bab369c7905e79ff3b3adea97904f55d9759]
The bug is a serious flaw because users don’t see any warnings that the data is not being encrypted. Not knowing the data is exposed, they may send sensitive information that can be intercepted and used maliciously. The vulnerability was addressed by adding an SSH tunnel to the connection to wrap all communications within the encrypted tunnel, Apple said.
Mark S. C. Smith, at Central Connecticut State University, was credited the discovering the flaw.
