Apple Remote Desktop Encryption Failure Lets Remote Users Obtain Potentially Sensitive Information
|
|
SecurityTracker Alert ID: 1027420 |
|
SecurityTracker URL: http://securitytracker.com/id/1027420
|
|
CVE Reference:
CVE-2012-0681
(Links to External Site)
|
Updated: Sep 18 2012
|
Original Entry Date: Aug 21 2012
|
Impact:
Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): after 3.5.1 and prior to 3.6.1
|
Description:
A vulnerability was reported in Apple Remote Desktop. A remote user can monitor potentially sensitive information.
When a user connects to a third-party VNC server with the 'Encrypt all network data' setting enabled, network data is not encrypted. A remote user monitoring the network can obtain ostensibly encrypted data.
Mark S. C. Smith studying at Central Connecticut State University reported this vulnerability.
|
Impact:
A remote user with the ability to monitor network connections can obtain potentially sensitive information.
|
Solution:
The vendor has issued a fix (3.5.3, 3.6.1), available from Mac App Store, the Software Update pane in System Preferences, or Apple's Software Downloads web site at:
http://www.apple.com/support/downloads/
[Editor's note: The 3.5.3 fix was added on September 17, 2012 as part of APPLE-SA-2012-09-17-1 Apple Remote Desktop 3.5.3.]
The download file is named: "RemoteDesktopAdmin353.dmg"
Its SHA-1 digest is: 7fd3a92dcd0e495e94a575bd09b333a89049c877
The download file is named: "RemoteDesktopAdmin361.dmg"
Its SHA-1 digest is: dd41bab369c7905e79ff3b3adea97904f55d9759
The vendor's advisory is available at:
http://support.apple.com/kb/HT5433
|
Vendor URL: support.apple.com/kb/HT5433 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
UNIX (OS X)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
