18 Quotes by Thomas Kristensen

Vendors can take months to create patches, and sometimes users grumble about that, ... But the alternative is to have patches that can be circumvented or aren't appropriate for the vulnerability. It's a difficult balance.

Since printers are connected to the network, they can be vulnerable. Attackers might use a printer connection to get to other parts of a system, and sometimes it's very easy to get into a company that way.

Only a few companies, including the open source vendor Red Hat, handles vulnerabilities in an equally responsible way.

It certainly is a serious threat, but given the amount of information available from Cisco you would think there would only be an extremely limited number of vulnerable systems. Most people should have patches in place before there are any exploits.

I think Steve has got some good points on why comparing vulnerability numbers is difficult.

While the bug in itself could look like a back door, I find it highly unlikely that it actually is a deliberately placed back door.

Users should be less concerned if the application they're using is from a Linux distributor, because they have patches available. But with third-party vendors, users might not know about the problem until they read about it.

Three of the vulnerabilities can launch malicious code that allows an attacker to snoop on users. The other vulnerability is a DOS attack that will only work in a few cases and crash the media player when it tries to open a file.

We aren't aware of any systems that have been compromised yet, but it's likely to happen since there's exploit code out.