Reported January 23, 2001, by CORE-SDI
ATT VNC, a freeware remote control package, uses a challenge and response mechanism for authenticating clients. A malicious attacker can use a design vulnerability in the VNC mechanism to launch a simple man-in-the-middle attack to gain unauthorized access to hosts running VNC.
ATT Labs has been contacted. It is recommended that you use VNC over cryptographically strong channels.