vnc security flaw?

glendaharris@bellsouth.net glendaharris "at" bellsouth.net
Wed Jun 7 16:27:00 2006 

As a newbie to all of this,   I just want to say that I really appreciate this discussion and have learned quite a bit (Its been quite entertaining as well).  I downloaded the free version of RealVNC but I have decided to upgrade and purchase it so that I can receive the proper support and learn as much as I can to minimize any security threats. 

Thanks everyone.
Glenda Harris
> 
> From: Hal Vaughan <hal "at" thresholddigital.com>
> Date: 2006/06/06 Tue PM 02:13:51 EDT
> To: vnc-list "at" realvnc.com
> Subject: Re: vnc security flaw?
> 
> On Tuesday 06 June 2006 13:15, Dave Dyer wrote:
> > It's really not realistic or reasonable to expect every PC user to be
> > their own ever-vigilant security expert.  
> 
> Yes and no.  It depends on how important security is to you.  As pointed 
> out, the flaw was posted on this list.  I find that just reading 
> Slashdot (http://slashdot.org) is enough to keep me informed of 
> security issues when I need to know about them.  I also use Debian 
> Linux (Stable, whether it's Woody, Sarge, or Etch or whatever), which 
> means a program has to be really stable to be finally classified as 
> eligible for the Stable branch.  That means most of the security 
> problems are gone by then.  In addition, a one line cron job (for the 
> uninformed, cron is easily configured to run programs at any time) 
> updates my system every night, getting only security fixes and needed 
> updates.
> 
> While you probably use different methods for safety, my point is that I 
> use a system that is known for secure updates and other issues are 
> easily flagged on Slashdot, which is one site.  There are better sites 
> for security issues, but I'm just giving one example.
> 
> > I try to keep up on these 
> > things, and I had barely noticed.   I doubt that 10% of VNC users
> > read either slashdot or vnc-list, much less never miss anything
> > important there.
> 
> I noticed it was blasted all over any news source that keeps track of 
> open source software.  Were you actually keeping up with any news?
> 
> Guess what?  Software has flaws.  I doubt there is a single piece of 
> published software without bugs and without security flaws that will be 
> discovered one day.  If you use it, it is up to you to keep up with 
> that.  For example, if you use Windows, there are frequent serious 
> issues.  Some users ignore the situation.  (They're the ones with so 
> much malware they can barely use their computers.)  Some users get 
> automatic updates, but this is risky because sometimes Windows updates 
> hose the system.  Then there are the aware users that know that for 
> safety, they need to keep up with all the security issues and that many 
> times there are 3rd party patches/fixes out before MS issues fixes.
> 
> > Two things that occur to me that "ought" to have happened, which
> > might have increased the visibility.
> >
> > 1) vnc should maintain it's own list, reserved for security flash
> > alerts only, and strongly encourage anyone who installs vnc
> > to sign up.
> >
> > 2) word should have been passed to norton, mcaffee, etc so they
> > could target vulnerable versions of vnc on behalf of their customers.
> > I don't know if this mechanism exists, but it ought to.
> 
> Symantec and the other companies keep up with this stuff.  Personally, I 
> don't use them, since I use other security measures (and wouldn't be 
> caught dead using Windows, other than testing my software for my 
> clients).  They know about it when exploits are published, and this one 
> was published through all or most (that I saw) appropriate channels.
> 
> As I said, I don't use Symantec or McAffee products, but I'm not sure 
> that they can protect from issues like this.  They can watch for 
> malware and viruses, and will watch for whatever is in their 
> definitions, but I don't think they go out of their way to protect you 
> from flaws in other programs.  With that in consideration, any malware 
> known to attack RealVNC or other programs would end up in their 
> database as soon as possible and would be downloaded to your system 
> with your next regular update.  (You do update daily, don't you?)
> 
> I'm not trying to be a pain, but, in the long run, the security of your 
> computer is YOUR responsibility.  Maybe this will help, in the long 
> run, by alerting you to the fact that you do have to find ways to 
> ensure your systems' safety.
> 
> Hal
> _______________________________________________
> VNC-List mailing list
> VNC-List "at" realvnc.com
> To remove yourself from the list visit:
> http://www.realvnc.com/mailman/listinfo/vnc-list