On Friday, a vulnerability was announced in VNC that allows anyone to connect to a machine running VNC without specifying a password. Apparently, during the handshaking between the VNC server and client, the server tells the client a list of authentication mechanisms that it can accept. The client is then supposed to answer with a password using one of the specified mechanisms. Unfortunately, the server was not properly checking the client’s mechanism to make sure it was an accepted type, and apparently “Anonymous” is one of the methods. This means that with one simple change of code to the client, it can specify anonymous authentication and gain access to any VNC server. Not good!

An update (version 4.1.2) is available at RealVNC.com. We have responded quickly to this security threat and updated any public-facing VNC servers, followed by any internal VNC servers. Our recommended practice is to use VNC only internally and to use Terminal Services / Remote Desktop for any public-facing remote access.