Apple users employing Apple's Remote Desktop software to administer other servers have been doing so without their data being encrypted if they asked the software to do so, and were running the latest version.
In a patch released by the Cupertino, California, company today, Apple stated that when connecting to third-party virtual network computing (VNC) servers, data is not being encrypted, even when the user selects "Encrypt all network data". Additionally, no warning is being provided to the user.
According to Apple's security bulletin, the issue does not affect Apple Remote Desktop 3.5.1 and earlier, indicating that the error was introduced in a subsequent patch. Version 3.5.2 of the client for Apple Remote Desktop was released in February this year, while the 3.5.2 admin version of the tool was released in June.
Apple recommends upgrading to Apple Remote Desktop 3.6.1, which removes the flaw. This latest version now sets up a secure SSH tunnel to provide end-to-end encryption, and stops the connection if a secure tunnel cannot be established.
The flaw was reported to Apple by Mark Smith, a student at Central Connecticut State University in the US.
The update to version 3.6.1 also brings a few additional improvements to the software, including better support for controlling computers that have multiple displays, faster launch speeds when a large number of computers are listed in the application and better reliability of computer lists that have been imported from previous versions of Apple Remote Desktop.