[hsbauauvhabzb]

Security engineer here and for context I manage a very small amount of servers that don’t really matter too much. Having the notice means that I see it on HN before i need to patch - that’s massively handy.

I don’t want to run updates on cron because I feel the risks may outweigh the benefits in some cases, if this extends to other implementations (php curl, etc) then I doubt vuln scanners would pick it up.

Not every company has infinite resources, and security notices are a firehouse.

Sure this gives bad actors more of a chance to tee up staff to hit this thing, but it helps the competent but under resourced blue teamers a chance too.

Edit: I upvoted you btw and would encourage others to consider this also. I think your opinion is a valid perspective and conversation provoking which iirc is the point of votes - I’d rather not see HN fall into an echo chamber hive-mind, if it’s not already too late.

[xign]

I don't think the comment above you is a valid perspective considering that it does not appear to be a 0-day vulnerability and there is no evidence of it being used in the wild. The information he provided is IMO not enough to craft an exploit out of. Yes, now there is a giant bullseye on cURL and maybe the bad guys will start looking hard at it, but cURL has always been a widely distributed software that needs to interact with the unsafe world (the internet), so I would imagine attackers have been looking at it for a while already. So far he hasn't revealed critical information such as when the vulnerability was introduced and exactly what area it affects, which would have helped a potential attacker narrow down the scope.

So I think it's just fear mongering to say suddenly people will craft exploits because of this notice. Like, if they are so good at finding the exploit then they probably would have found it a long time ago already given the lack of useful intel here.