Apple Remote Desktop software was vulnerable to snooping
Apple users employing Apple's Remote Desktop software to administer other servers have been doing so without their data being encrypted if they asked the software to do so, and were running the latest version.
In a patch released by the Cupertino, California, company today, Apple stated that when connecting to third-party virtual network computing (VNC) servers, data is not being encrypted, even when the user selects "Encrypt all network data". Additionally, no warning is being provided to the user.
According to Apple's security bulletin, the issue does not affect Apple Remote Desktop 3.5.1 and earlier, indicating that the error was introduced in a subsequent patch. Version 3.5.2 of the client for Apple Remote Desktop was released in February this year, while the 3.5.2 admin version of the tool was released in June. Apple recommends upgrading to Apple Remote Desktop 3.6.1, which removes the flaw. This latest version now sets up a secure SSH tunnel to provide end-to-end encryption, and stops the connection if a secure tunnel cannot be established.
- Mon, 2013-05-13 12:02
- Thu, 2013-04-25 06:32
- Wed, 2013-04-17 14:38