Apple released an update to the 3.5.x branch of its Apple Remote Desktop (ARD) administration application to close a known security hole.
Version 3.5.3 of the desktop management solution for remotely managing Mac OS X systems corrects an information disclosure vulnerability (CVE-2012-0681) when connecting to third-party VNC servers which could result in data not being encrypted when the “Encrypt all network data” setting is enabled. When this happens, no warning alerts users the connection could be insecure.
The same problem was already resolved in the 3.6 branch of ARD with the release of version 3.6.1 at the end of August. However, ARD 3.6.x is only available for systems running Mac OS X 10.7 Lion or later, whereas the ARD 3.5 still supports the older 10.6 Snow Leopard release of Mac OS X.
As with ARD 3.6.1, the 3.5.3 update corrects the problem by creating an SSH tunnel for the VNC connection when “Encrypt all network data” is set.
When this is not possible, the connection ends up prevented. According to Apple, only version 3.5.2 of ARD suffered from the problem; Apple Remote Desktop 3.5.1 and earlier are not vulnerable.
Version 3.5.3 of Apple Remote Desktop is available to download from Apple’s support web site; existing users can install the update using the built-in Software Update mechanisms.