Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found in VNC 4.1

Posted by ryuzaki0 on Thursday May 11, 2006 @01:42PM from the public-desktops dept.

jblobz writes "IntelliAdmin has discovered a critical flaw that allows an attacker to control any machine running VNC 4.1. The flaw grants access without the attacker obtaining a password. The details of the vulnerability have not been released, but their website has a proof of concept that allows you to test your own VNC installation for the vulnerability"

3 of 175 comments (clear)

Min score:

Reason:

Sort:

SSH by Anonymous Coward · 2006-05-11 13:45 · Score: 5, Insightful

You should tunnel unencrypted services like VNC over SSH anyway.
Yikes! by timeOday · 2006-05-11 13:47 · Score: 5, Insightful

Surely inspection of the vulnerability test will betray the flaw to attackers?
SSH tunnels by ArbitraryConstant · 2006-05-11 13:53 · Score: 5, Insightful

Like many services meant for users that can be expected to have a password, this is best tunneled through SSH. Access is controlled by a comparatively secure protocol and server. It's still best to patch (eg someone might get unpriviledged access to a machine and use this flaw to escalate the breach), but having a gateway that's more secure than any of the components behind it is nice. Even if the gateway itself has flaws from time to time.

--
I rarely criticize things I don't care about.