Even if the user had "Encrypt all network data" selected, connecting to a third-party VNC server may result in "information disclosure" because data is not encrypted, according to a security advisory posted on the Apple website Aug. 20. The vulnerability does not affect Remote Desktop versions 3.5.1 and earlier, and version 3.6.1 is now available from the Mac App Store or Apple's Software Update Pane, or Apple's Software Downloads web site.
The download file is named "RemoteDesktopAdmin361.dmg"
The bug is a serious flaw because users don't see any warnings that the data is not being encrypted. Not knowing the data is exposed, they may send sensitive information that can be intercepted and used maliciously. The vulnerability was addressed by adding an SSH tunnel to the connection to wrap all communications within the encrypted tunnel, Apple said.