A potential security exploit in VNC Free Edition 4.1.2 / VNC Enterprise edition E4.4.2 has been patched¹, it  was caught early on, and to date there have been no known attacks.

The bug only affected the VNC listening viewer (a component of VNC Viewer), which can be used to essentially perform a reverse connection. The VNC Listening Viewer is “connected” to the VNC Server, instead of the “connecting to” it. This is particular useful in enterprise or small home user environments where you may not be able to punch a hole through a firewall to allow the connection. The outcome is essentially the same, the VNC Viewer will be connected to the VNC Server, however the connection was initiated from the VNC Server rather than VNC Viewer (read: outbound, not inbound).

The bug was particularly exploitable due to being present in the VNC Free Edition codebase. VNC FE is open-source, as listed under the GPL/GNU² meaning that anyone with enough knowledge of the code and exploit could build an attacking VNC FE server, which could then be used to attack any FE/EE Listening Viewer currently running/listening. The attacking server could abuse the buffer overflow exploit to run malicious bespoke code on the listening viewer machine, and potentially do as much harm as they want.

The bug has been fixed in all available releases (VNC Free Edition 4.1.3, VNC Personal Edition 4.4.3, VNC Enterprise Edition 4.4.3) which are available to download on the RealVNC website³. The patched VNC Viewer for the commercial products (EE, PE), are available for download by all past and present customers. No license key/serial is required.

(¹) VNC Enterprise Edition 4.4 Release Notes – realvnc.com
(²) VNC Free Edition 4.1 Docuemntation & Download – realvnc.com
(³) RealVNC download area/repository – All version/platforms