Apple has released a fix for a vulnerability in its Remote Desktop product that could result in sensitive data not being encrypted, even when users have the product configured to send all data in encrypted form. The vulnerability can lead to information leakage and Apple says the issue affects versions 3.0 and later.
The vulnerability in Apple Remote Desktop is fixed by adding an SSH tunnel to the connection, which wraps the connection in an encrypted tunnel.
“Connecting to a third-party VNC server with ‘Encrypt all network data’ set may lead to information disclosure Description: When connecting to a third-party VNC server with “Encrypt all network data” set, data is not encrypted and no warning is produced. This issue is addressed by creating an SSH tunnel for the VNC connection in this configuration, and preventing the connection if the SSH tunnel cannot be created. This issue does not affect Apple Remote Desktop 3.5.1 and earlier,” Apple said in its advisory.
To fix the bug, Apple has released version 3.6.1 of Apple Remote Desktop. The bug is a serious one because even though users have the product set to encrypt all data, not only was the connection not encrypted, users did not get a warning letting them know that the data was being sent in the clear.
Users can get the new version of Remote Desktop through the Mac App Store or from the Apple Support site.