Apple Remote Desktop software was vulnerable to snooping

Apple Remote Desktop software was vulnerable to snooping

Summary: Apple's Remote Desktop has been erroneously informing users that it has been encrypting data, when a bug has actually meant that the data transmitted was sent in the clear.

SHARE:
5

Apple users employing Apple's Remote Desktop software to administer other servers have been doing so without their data being encrypted if they asked the software to do so, and were running the latest version.

In a patch released by the Cupertino, California, company today, Apple stated that when connecting to third-party virtual network computing (VNC) servers, data is not being encrypted, even when the user selects "Encrypt all network data". Additionally, no warning is being provided to the user.

According to Apple's security bulletin, the issue does not affect Apple Remote Desktop 3.5.1 and earlier, indicating that the error was introduced in a subsequent patch. Version 3.5.2 of the client for Apple Remote Desktop was released in February this year, while the 3.5.2 admin version of the tool was released in June.

Apple recommends upgrading to Apple Remote Desktop 3.6.1, which removes the flaw. This latest version now sets up a secure SSH tunnel to provide end-to-end encryption, and stops the connection if a secure tunnel cannot be established.

The flaw was reported to Apple by Mark Smith, a student at Central Connecticut State University in the US.

The update to version 3.6.1 also brings a few additional improvements to the software, including better support for controlling computers that have multiple displays, faster launch speeds when a large number of computers are listed in the application and better reliability of computer lists that have been imported from previous versions of Apple Remote Desktop.

Topics: Security, Apple, Networking

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

5 comments
Log in or register to join the discussion
  • Amateur hour at One Infinite Loop

    "data is not being encrypted, even when the user selects "Encrypt all network data""

    You just can't make this stuff up.
    toddbottom3
  • i bet ....

    crapple have known for a long time, but kept it a secret.
    Scarface Claw
  • Just another in a long list....

    of crap software from the makers of the Macintosh Worm.

    If it weren't for the MSFT software that runs on their platform, they'd have nothing.
    xuniL_z
  • Not surprising the Mac.....

    tards have not posted on this one, they've not come up with a way to spin this one, or blame it on MSFT yet.
    Actually I thought we hear that it was only one specific release and everyone would post "doesn't affect me, I don't use that version" or there are very few that were on that version and Apple quickly fixed it, so this is a non story".
    LOL.
    xuniL_z
  • Lion or higher only

    Even more idiotic is that Apple released 3.6.1 only for Lion or better. Snow Leopard users just got permanently screwed (or could uninstall, reinstall an old copy from disc and then update only so far)! This is not new software, it's older than SNow Leopard and is a SECURITY UPDATE for !@#$%^&* sake!
    What a joke (and I'm otherwise a fan)...
    sjobs84