To all the Windows users using Putty for SSH, please upgrade your putty clients IMMEDIATELY.
PuTTY 0.55, released today, fixes a serious security hole which may
allow a server to execute code of its choice on a PuTTY client
connecting to it. In SSH2, the attack can be performed before host key
verification, meaning that even if you trust the server you think you
are connecting to, a different machine could be impersonating it and
could launch the attack before you could tell the difference.
You can grab the latest version of putty here.
Of course, if you use cygwin and use OpenSSH… you're fine. 🙂
UPDATE: A reader of the blog pointed out that I am blindly
pointing to the executable, which for the paranoid could be a bad thing
without explaining what is going on.