Apple Remote Desktop software was vulnerable to snooping

Summary:Apple's Remote Desktop has been erroneously informing users that it has been encrypting data, when a bug has actually meant that the data transmitted was sent in the clear.

Apple users employing Apple's Remote Desktop software to administer other servers have been doing so without their data being encrypted if they asked the software to do so, and were running the latest version.

In a patch released by the Cupertino, California, company today, Apple stated that when connecting to third-party virtual network computing (VNC) servers, data is not being encrypted, even when the user selects "Encrypt all network data". Additionally, no warning is being provided to the user.

According to Apple's security bulletin, the issue does not affect Apple Remote Desktop 3.5.1 and earlier, indicating that the error was introduced in a subsequent patch. Version 3.5.2 of the client for Apple Remote Desktop was released in February this year, while the 3.5.2 admin version of the tool was released in June.

Apple recommends upgrading to Apple Remote Desktop 3.6.1, which removes the flaw. This latest version now sets up a secure SSH tunnel to provide end-to-end encryption, and stops the connection if a secure tunnel cannot be established.

The flaw was reported to Apple by Mark Smith, a student at Central Connecticut State University in the US.

The update to version 3.6.1 also brings a few additional improvements to the software, including better support for controlling computers that have multiple displays, faster launch speeds when a large number of computers are listed in the application and better reliability of computer lists that have been imported from previous versions of Apple Remote Desktop.

Topics: Security, Apple, Networking

About

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.