[zeugma]

I hadn't seen this posted before. I know a lot of admins use VNC for remote administration of both Unix and Windows systems. This is a pretty serious flaw.

The link for the proof of concept is here .

I haven't tested this against Unix systems running VNC yet, as I hace none readily available here. If you use use it on Unix/Linux/OSX, you might want to test against it. I'd appreciate any results against same to he posted here, as I am sure others would as well.

This was posted on Slashdot as well.

 

[zeugma]

Tech ping please for those interested.

[mhx]

So they want you to click on a link that will let them connect back to your machine and try to connect to your VNC server? To see if you have the bug?

Hmmmmmm...

[kinoxi]

no, everybody knows osx is immune from worldly flaws, didn't you get the memo? /s

[johnboy]

thank you. thank you, thank you, thank you.

[kalee]

ping

[Egon]

Irk. I use this utility on all of my PCs. Fortunately, I don't open that port to the outside world-- just internal to the network.

[Senator Bedfellow]

The Slapdash article was typical crap, though - what wasn't mentioned was that only RealVNC (and only this specific version of RealVNC) is affected. TightVNC and Ultr@VNC and other versions of RealVNC are not affected at all. Stupid fearmongering by the editors over there, but that's not exactly new ;)

[Senator Bedfellow]

BTW, I have unused moderator points over there that expire this afternoon, so anyone that wants a bump, let me know :)

[kpp_kpp]

VNC is only safe over SSH

Having a port/machine open for VNC, even w/VCN authentication, is silly.