Huge security risk with default vnc4server in Edgy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
vnc4 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: vnc4server
I recently had some wierd behaviour with open Instant Messaging windows - I had been away from my computer for some hours, and upon return, an IM window that I'd left open had been sending Windows systems commands to the contact. This happened in Gaim and Skype, while noone would have had access to my physical machine. Here is a link to the portion of conversation that contains the said messages: http://
I visited Gaim IRC to find out if they knew how this might have happened, and it turns out that version 4.1.1 of RealVnc contains a massive security flaw that will allow non-local users to connect to the Vnc server *without a password*. Here are some relevant links the Gaim developers pointed me to:
http://
http://
The only scenario that makes sense to me is that someone gained access to my vnc'd ubuntu box and tried propagating a virus.
In any case, RealVnc 4.1.2 is supposed to address this issue.