Robert, While I have not reviewed the 3.3.4 code myself, I believe that this attack is possible with any release that correctly implements the current VNC authentication mechanism outside of a secure tunnel. This includes our TridiaVNC distribution.
TridiaVNC Pro includes built-in SSL/TLS encryption that will prevent this type of attack: http://www.tridiavncpro.com/ Brian > Message: 10 > To: [EMAIL PROTECTED] > Subject: VNC "man in the middle" attack > From: [EMAIL PROTECTED] > Date: Mon, 2 Dec 2002 14:25:42 -0500 > > Is RealVNC's WinVNC 3.3.4 still susceptible to this attack? > > http://www.securiteam.com/exploits/6S0040A6AW.html > > http://www.iss.net/security_center/static/5992.php > > If so, is any newer version not susceptible to this attack? > > If all versions of RealVNC/WinVNC are susceptible to this attack is there > another flavor of VNC that is not? > > I cannot setup a tunnel / use SSH in my current situation so this attack > presents possible a problem. > > Thanks. -- Brian ---------------------------------------------------------------------------- TridiaVNC Pro: finally, affordable remote control! http://www.TridiaVNCPro.com/ ---------------------------------------------------------------------------- Tridia's Mission: To always exceed our customers' expectations by providing the absolute best software products backed by outstanding technical support and customer service. Please let us know how we are doing: brian . blevins @ tridia.com or ceo-hotline @ tridia.com. _______________________________________________ VNC-List mailing list [EMAIL PROTECTED] http://www.realvnc.com/mailman/listinfo/vnc-list
