Industry Updates

Security Issues Found In Several VNC Applications

Microsoft RDP has its share of problems.

That simple truth has sparked the rise of a number of open-source VNC (Virtual Network Computing) applications, which allow a user to remotely control another computer.

Regardless of which VNC solution you use, they all work pretty much the same way.

There’s a “server component” which runs on the computer that shares its desktop. There is also a “client component” which runs on the computer that will access the share from a remote location.

There are a few VNC applications on the market compatible with every OS in use today. In the VNC ecosystem, the “Big Four” are LibVNC, UltraVNC, Tight VNC, and TurboVNC.  Recently, researchers at Kaspersky Lab audited these four on a quest to discover how secure they were.  Their findings were disappointing to say the least.

Overall, the researchers found a total of 37 serious flaws in the client and server portions of these four programs. 22 of them were found in UltraVNC, with another ten found in LibVNC, 4 in TightVNC, and one in TurboVNC, which looks to be the best of the bunch in terms of security.

The research team had this to say about their findings:

“All of the bugs are linked to incorrect memory usage.  Exploiting them leads only to malfunctions and denial of service – a relatively favorable outcome.  In more serious cases, attackers can gain unauthorized access to information on the device or release malware into the victim’s system.”

Although only one flaw was found in TurboVNC, it’s a serious one that would allow a determined attacker to remotely execute code on the server side.

If there’s a silver lining to the recent research it is the fact that Kaspersky notified the development teams of all four of the programs they audited. Also, all four have been patched and updated. If you use any of those, just make sure you’re using the latest version and you can use them with confidence.  Kudos to Kaspersky for their efforts, and to the developers to responding swiftly to the company’s findings.