Slashdot Mirror

← Back to Stories (view on slashdot.org)

Critical Flaw Found in VNC 4.1

Posted by ryuzaki0 on from the public-desktops dept.

jblobz writes "IntelliAdmin has discovered a critical flaw that allows an attacker to control any machine running VNC 4.1. The flaw grants access without the attacker obtaining a password. The details of the vulnerability have not been released, but their website has a proof of concept that allows you to test your own VNC installation for the vulnerability"

1 of 175 comments (clear)

  1. Re:scope of bug... by pe1chl · · Score: 4, Interesting

    Our experience with *VNC has been that "better" is often subjective.
    We used the original VNC for quite a while then switched to TightVNC. It seemed "better", but on the Windows platform there were some situations where it had difficulty finding the need to redraw certain screen areas.
    (I am of course assuming that the 'poll full screen' option is not used, but limited areas of the screen are polled)
    Sometimes a click on a window bar is needed to refresh that window, sometimes it is enough to move the mouse around a little.
    The ancient version did allow you to refresh the screen by "painting" the area with the mouse cursor, but TightVNC usually refreshes an entire updated area when it is moved over by the mouse.

    However, as there still were apps which did not work entirely satisfactorily (especially when extensive use was made of tooltips), we kept looking and it seemed that UltraVNC was promising. It was installed on a few systems and it worked ok, then rolled out to a lot of systems.
    Now, problems again appear, but in other situations.
    Sometimes it delays refreshing a bit long, and shortening the timer increases the CPU usage too much.
    Using the special video driver improves things a little, but it has proven difficult to find a really well-working setup that does not have annoying lag and does not overload the system either.
    One one system it was even replaced by RealVNC because of system load issues.

    Fortunately all those servers and clients inter-operate, or else there would be a big mess by now.
    (also, we fortunately can automatically and silently install new or other versions on at least the client systems, so switching is not too hard)

    I wonder what other people's experiences are. I don't define "better" as "having more toolbar buttons" or "having more added options like file transfer", but I am still looking for a better VNC in terms of good interactive performance without overloading the server system.