>>> STOP - DO NOT DOWNLOAD

I don't wish to appear paranoid, but could you perhaps provide a link to some further info about this? Linking directly to an "updated" executable makes me rather suspicious. At least sign something with your PGP key, or make some attempt at verification.

Meanwhile, I would advise anyone reading this to NOT download anything until it's safe to do so.

Sorry. Good point on clarifying this. I will modify the entry accordingly.

The vuln is listed in the changelog. I couldn't find the CORE article listed, though.

http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html

Under fair disclosure, I would gather a window is being provided to get the fix out.

Don't be suprised if you see this hit bugtraq in a few days/weeks.

Jonathon,

This blog is not supposed to replace YOUR due diligence and patch management strategy as part of your infosec policy.

As I am not the author of putty, you shouldn't expect ME to provide you detailed information (checksums, signed response etc) of anything past a heads up. Which I did. If there would have been more information on bugtraq to corillate or the like I would have included it. However, at this point you probably got about a weeks window AHEAD of the industry here. It only takes a couple of seconds to verify if the intent was real by simply GOING to the putty page and verifying yourself. My addendum to the post, which I modified after your original posts, even linked to the page for you.

I apologize if you believe I have more responsibility here. I am flattered that you believe so, but would like to point out my words here are not a replacement for your CSO.

As an update, an advisory was published today from Core Security on the vulnerability. Should start to see exploits for it in the next couple of days now that people have a better understanding of what and how its vulnerable.

You can read the advisory here.