Update 5/12/2006: We contacted the RealVNC team with our findings. They were able to verify the flaw, and release a fix within only a few short hours. I would highly suggest downloading 4.1.2 if you are running RealVNC on any internet facing computers - Steve
In our previous post I discussed a flaw in VNC that we discovered by accident. It essentially allows you to access a host running Real VNC 4 without knowing the password.
I have put together a proof of concept application (VNC Flaw Test). If you visit this page from the server or machine running VNC, it will attempt to connect back and display a snapshot. If it says your safe - then hey your safe. If not, you got to wonder how many million people have this installed and they have a wide open security flaw.
Now it is still possible we are wrong, since every machine we have had the chance to test has been touched by our software. Try it and see if you are vulnerable - and remember you need to browse to the testing page *from* the machine running VNC, and this machine and VNC port has to be accessible from the Internet.
Posted By: Steve Wiseman on Wednesday, May 10, 2006
Check out our utilities for windows