Apple has patched a security flaw in its Remote Desktop software noting that connections to a third-party VNC server with the "Encrypt all network data" setting on may lead to information disclosure.
over at Apple’s security section on support.apple.com notes that Apple Remote Desktop 3.5.3
addresses a security issue. Although the update also brings some other changes and improvements, security seems to be the key reason why Apple rolled out this new version.
The Cupertino mammoth explains that, “When connecting to a third-party VNC server with ‘Encrypt all network data’ set, data is not encrypted and no warning is produced.” In other words, this could lead to information disclosure.
By creating an SSH tunnel for the VNC connection in this configuration, and preventing the connection, Apple was able to patch this issue with the help of one Mark S. C. Smith studying at Central Connecticut State University, who reported the problem.
Apple points out that this issue doesn’t affect Apple Remote Desktop 3.5.1 and earlier versions.