Vulnerabilities impacting curl, libcurl not as severe as believed

CyberScoop reports that two security vulnerabilities impacting the open source curl and libcurl programs were significantly less threatening than originally thought, with the more severe flaw that affects curl and its connection with the SOCKS5 proxy only potentially exploitable through the utilization of Tor for visiting a malicious HTTPS site. "There's a big difference between vulnerabilities where an attacker can scan the internet and exploit anyone who is running vulnerable versions. This is one where if someone goes to a malicious website and they have a vulnerable version they can get exploited," said ForAllSecure CEO David Brumley, who is also a cybersecurity professor at Carnegie Mellon University. Moreover, SANS Technology Institute Dean of Research Johannes Ullrich noted that systems vulnerable to the curl and libcurl flaws had a higher risk of compromise from less complex bugs. "If you accept data, not validate it, and just blindly pass it to libraries like curl, you will likely have other problems that are easier to exploit," Ullrich said.