Apple Patches Remote Desktop Flaw
Apple patched a vulnerability in its remote desktop product where the connection isn't being encrypted correctly. This may result in information disclosure, Apple said in its advisory.
http://support.apple.com/kb/DL1570
http://support.apple.com/kb/HT5433
Even if the user had "Encrypt all network data" selected, connecting to a third-party VNC server may result in "information disclosure" because data is not encrypted, according to a security advisory posted on the Apple website Aug. 20. The vulnerability does not affect Remote Desktop versions 3.5.1 and earlier, and version 3.6.1 is now available from the Mac App Store or Apple's Software Update Pane, or Apple's Software Downloads web site.
The download file is named "RemoteDesktopAdmin361.dmg"
The bug is a serious flaw because users don't see any warnings that the data is not being encrypted. Not knowing the data is exposed, they may send sensitive information that can be intercepted and used maliciously. The vulnerability was addressed by adding an SSH tunnel to the connection to wrap all communications within the encrypted tunnel, Apple said.
http://www.securityweek.com/apple-patches-remote-desktop-flaw
SecurityWeek
Apple Patches Remote Desktop Flaw
Mac Pro, Windows 8 Preview x64 3.2GHz