vnc security flaw?
glendaharris "at" bellsouth.net
Wed Jun 7 16:27:00 2006
As a newbie to all of this, I just want to say that I really appreciate this discussion and have learned quite a bit (Its been quite entertaining as well). I downloaded the free version of RealVNC but I have decided to upgrade and purchase it so that I can receive the proper support and learn as much as I can to minimize any security threats.
> From: Hal Vaughan <hal "at" thresholddigital.com>
> Date: 2006/06/06 Tue PM 02:13:51 EDT
> To: vnc-list "at" realvnc.com
> Subject: Re: vnc security flaw?
> On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
> > It's really not realistic or reasonable to expect every PC user to be
> > their own ever-vigilant security expert.
> Yes and no. It depends on how important security is to you. As pointed
> out, the flaw was posted on this list. I find that just reading
> Slashdot (http://slashdot.org) is enough to keep me informed of
> security issues when I need to know about them. I also use Debian
> Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which
> means a program has to be really stable to be finally classified as
> eligible for the Stable branch. That means most of the security
> problems are gone by then. In addition, a one line cron job (for the
> uninformed, cron is easily configured to run programs at any time)
> updates my system every night, getting only security fixes and needed
> While you probably use different methods for safety, my point is that I
> use a system that is known for secure updates and other issues are
> easily flagged on Slashdot, which is one site. There are better sites
> for security issues, but I'm just giving one example.
> > I try to keep up on these
> > things, and I had barely noticed. I doubt that 10% of VNC users
> > read either slashdot or vnc-list, much less never miss anything
> > important there.
> I noticed it was blasted all over any news source that keeps track of
> open source software. Were you actually keeping up with any news?
> Guess what? Software has flaws. I doubt there is a single piece of
> published software without bugs and without security flaws that will be
> discovered one day. If you use it, it is up to you to keep up with
> that. For example, if you use Windows, there are frequent serious
> issues. Some users ignore the situation. (They're the ones with so
> much malware they can barely use their computers.) Some users get
> automatic updates, but this is risky because sometimes Windows updates
> hose the system. Then there are the aware users that know that for
> safety, they need to keep up with all the security issues and that many
> times there are 3rd party patches/fixes out before MS issues fixes.
> > Two things that occur to me that "ought" to have happened, which
> > might have increased the visibility.
> > 1) vnc should maintain it's own list, reserved for security flash
> > alerts only, and strongly encourage anyone who installs vnc
> > to sign up.
> > 2) word should have been passed to norton, mcaffee, etc so they
> > could target vulnerable versions of vnc on behalf of their customers.
> > I don't know if this mechanism exists, but it ought to.
> Symantec and the other companies keep up with this stuff. Personally, I
> don't use them, since I use other security measures (and wouldn't be
> caught dead using Windows, other than testing my software for my
> clients). They know about it when exploits are published, and this one
> was published through all or most (that I saw) appropriate channels.
> As I said, I don't use Symantec or McAffee products, but I'm not sure
> that they can protect from issues like this. They can watch for
> malware and viruses, and will watch for whatever is in their
> definitions, but I don't think they go out of their way to protect you
> from flaws in other programs. With that in consideration, any malware
> known to attack RealVNC or other programs would end up in their
> database as soon as possible and would be downloaded to your system
> with your next regular update. (You do update daily, don't you?)
> I'm not trying to be a pain, but, in the long run, the security of your
> computer is YOUR responsibility. Maybe this will help, in the long
> run, by alerting you to the fact that you do have to find ways to
> ensure your systems' safety.
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit: