updated 09:00 pm EDT, Mon September 17, 2012
Version 3.5.3 fixes non-encryption but in previous version
Late Monday, Apple updated its Apple Remote Desktop Admin software to version 3.5.3 to fix a fault in the previous version that failed to encrypt network data even when a preference to do so was expressly checked when connecting to a third-party VNC server. Although the fault was limited to version 3.5.2 and does not affect ARD Admin 3.1 and earlier, Apple is recommending that all 3.x versions update to version 3.5.3. Discovery of the issue is being credited to a student at Central Connecticut State University.
Mark S. C. Smith found that when version 3.5.2 connected to a third-party VNC server with "Encrypt all network data" set as a preference, data was nonetheless unencrypted, and no warning was given. The issue could conceivably lead to information disclosure from the transmitted data, though no incidents of the problem have been reported. ARD 3.5.2 was released in mid-June and required OS X 10.7.4 or higher.
The issue is fixed, Apple says, by creating an SSH tunnel for the VNC connection and preventing the connection if the SSH tunnel can't be created. The new update can be obtained through Software Update for machines that have ARD installed, or directly from Apple's Software Downloads web page.