> Thanks (and to Jim Paris). > > I of course did not mean that it was OK for the client to have code > injection "portholes". I just meant that the particular exploit path > that was described wasn't very interesting since someone who maliciously > controls the sshd to which you are speaking has so many other > opportunities to exploit you. Once again, you're wrong. "The particular exploit path that was desscribed" does _not_ require that someone can control the sshd to which you're speaking -- it only requires that someone can control your TCP/IP traffic. There's a very big difference there. Obviously, the security of your TCP/IP traffic is solved with host key verification and cryptography. But this bug in SecureCRT happens way, way before any of that takes place. -jim
