Apple released version 3.6.1 of its Apple Remote Desktop (ARD) application for remotely managing Mac OS X systems to fix an information disclosure vulnerability.
The security update addresses a serious problem when connecting to third-party VNC servers that may result in data not being encrypted when the “Encrypt all network data” setting is enabled, Apple said. Additionally, when this happens there is no warning to alert users their connection may be insecure.
Apple Remote Desktop 3.6.1 addresses the problem by creating an SSH tunnel for the VNC connection when “Encrypt all network data” is set.
If this is not possible, ARD will prevent the connection. Versions 3.5.2 up to and including 3.6.0 suffer from the issue; ARD 3.5.1 and earlier are not vulnerable. Non-security related changes include better support for systems with more than one display, faster launch speed when long computer lists are present and fixes that improve ARD’s overall stability.
Apple Remote Desktop 3.6.1 requires Mac OS X 10.7 Lion or later, and is available to download from the company’s Support web site. Alternatively, existing users can install the update using the built-in Software Update mechanisms.