0 Replies Latest reply: Aug 21, 2012 10:42 AM by The hatter
The hatter Level 9 Level 9 (60,280 points)

Apple patched a vulnerability in its remote desktop product where the connection isn't being encrypted correctly. This may result in information disclosure, Apple said in its advisory.

 

http://support.apple.com/kb/DL1570

http://support.apple.com/kb/HT5433

 

Even if the user had "Encrypt all network data" selected, connecting to a third-party VNC server may result in "information disclosure" because data is not encrypted, according to a security advisory posted on the Apple website Aug. 20. The vulnerability does not affect Remote Desktop versions 3.5.1 and earlier, and version 3.6.1 is now available from the Mac App Store or Apple's Software Update Pane, or Apple's Software Downloads web site.

 

The download file is named "RemoteDesktopAdmin361.dmg"

 

The bug is a serious flaw because users don't see any warnings that the data is not being encrypted. Not knowing the data is exposed, they may send sensitive information that can be intercepted and used maliciously. The vulnerability was addressed by adding an SSH tunnel to the connection to wrap all communications within the encrypted tunnel, Apple said.

 

http://www.securityweek.com/apple-patches-remote-desktop-flaw

 

SecurityWeek

Apple Patches Remote Desktop Flaw


Mac Pro, Windows 8 Preview x64 3.2GHz