Apple has released version 3.6.1 of its Apple Remote Desktop application to fix an information disclosure vulnerability.
Vulnerability Details(CVE-2012-0681):
When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced. According to Apple security advisory, This issue does not affect Apple Remote Desktop 3.5.1 and earlier. Versions 3.5.2 up to and including 3.6.0 are affected;
The latest version 3.6.1 address this issue by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. If this is not possible, ARD will prevent the connection.
Apple Remote Desktop 3.6.1 may be obtained from Mac App Store,the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/