Print

Print


To all IT professionals,

 

 

Apple has released remote desktop 3.7 to fix vulnerabilities in earlier
versions of Apple remote desktop (before 3.5.4).

 

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5135

 

Format string vulnerability in Screen Sharing Server in Apple Mac OS X
before 10.9 and Apple Remote Desktop before 3.5.4 allows remote attackers to
execute arbitrary code via format string specifiers in a VNC username.


Impact


CVSS Severity (version 2.0):


CVSS v2 Base Score:7.5
<http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2013-5135&vector=%28AV%3AN/
AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP%29>  (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
<http://nvd.nist.gov/cvss.cfm?version=2&name=CVE-2013-5135&vector=%28AV%3AN/
AC%3AL/Au%3AN/C%3AP/I%3AP/A%3AP%29>  (legend
<http://nvd.nist.gov/cvss.cfm?vectorinfo&version=2> ) 

Impact Subscore: 6.4

Exploitability Subscore: 10.0


CVSS Version 2 Metrics:


Access Vector: Network exploitable 

Access Complexity: Low 

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows
unauthorized modification; Allows disruption of service 

 

____________________________________________________________________________
_______________________

 

http://lists.apple.com/archives/security-announce/2013/Oct/msg00008.html

 

 

 

Apple Remote Desktop 3.7 is now available and addresses the
following:
 
Apple Remote Desktop
Available for:  Apple Remote Desktop 3.0 or later
Impact:  A warning about use of VNC without encryption may not appear
Description:  If a third-party VNC server reported certain
authentication types, Remote Desktop may have used password
authentication but not warned that the connection would be
unencrypted. This issue was addressed through improved handling of
authentication types.
CVE-ID
CVE-2013-5136 : Mark S. C. Smith studying at Central Connecticut
State University
 
Apple Remote Desktop
Available for:  Apple Remote Desktop 3.0 or later
Impact:  A remote attacker may be able to cause arbitrary code
execution
Description:  A format string vulnerability existed in Remote
Desktop's handling of the VNC username.
CVE-ID
CVE-2013-5135 : SilentSignal working with iDefense VCP
 
 
Apple Remote Desktop 3.7 may be obtained from the Software Update
pane, or Apple's Software Downloads web site:
http://www.apple.com/support/downloads/
 
The download file is named:  "RemoteDesktopClient3.7.dmg"
Its SHA-1 digest is: dc93c3f62309898e317fe0704ca737ad066f3d91
 
Information will also be posted to the Apple Security Updates
web site: http://support.apple.com/kb/HT1222
 
This message is signed with Apple's Product Security PGP key,
and details are available at:
https://www.apple.com/support/security/pgp/

 

 

 

 

Michael Rutt|Sr. ITS Security Analyst|University of Nebraska -
Lincoln|402-472-0933 [log in to unmask] <mailto:[log in to unmask]> |

126 501 Building|Lincoln NE 68588-0203