security hole has surfaced in a program IT administrators use to access remote machines, but fixes are available.
A flaw in the authentication process of RealVNC (Virtual Network Computing) software could allow attackers to gain remote access to an affected VNC server and compromise it, Cupertino, Calif.-based AV giant Symantec Corp. warned in a message to customers of its DeepSight Threat Management System.
"During the initial handshake and authentication process between VNC clients and servers, a list of authentication methods is sent to clients," Symantec said. "The client chooses a method and returns a byte specifying the method it wishes to continue with."
The flaw appears because the server doesn't properly validate that the requested method sent by the client is actually one of the methods allowed by the server. "This issue allows remote attackers to request an anonymous authentication method, which will be incorrectly accepted by the server," Symantec said. "This allows them to gain full control of the VNC server session."
However there is a fix for this issue, or it is the upgrade. I haven't tested it or read it completly.