Word on this nasty new exploit is getting around.

Our friends at F-Secure (who are enjoying a wonderful warm Helsinki winter) also posted on this nasty new exploit.  Link here.  Secunia also writes here.

eWeek also wrote about it, here.

And for some humorous side color: I noticed this amazing quote in the eWeek article from Peter Lindstrom at Sprite:

Although Secunia deemed the flaw highly critical, at least one security researcher was dismissive of the bug’s severity. Pete Lindstrom, research director for Spire Security LLC, said that at this stage in the game, anything that requires user interaction is hardly worth notice.

“There’s no such thing as ‘extremely critical’ when user interaction is required,” Lindstrom said. “That’s just silly.”

Wow.  I have sent Peter an email with a link to a website that has this exploit and his response was as follows:

Hi, Alex – it is my understanding that the vuln still requires an end user (target) to actually do something, like click on a link. If that is the case, then my quote is accurate. Don’t worry, you’ll still sell your software 😉

<sigh> 

The only thing you need to do is actually visit a site with the nasty and you get it.  In my mind, that makes it a pretty critical vulnerability.  You go to a site that has this vulnerability, you get hit.  It’s not necessarily done through social engineering…

 

Alex Eckelberry