Vendors can take months to create patches, and sometimes users grumble about that, ... But the alternative is to have patches that can be circumvented or aren't appropriate for the vulnerability. It's a difficult balance.

Vendors can take months to create patches, and sometimes users grumble about that. But the alternative is to have patches that can be circumvented or aren't appropriate for the vulnerability. It's a difficult balance.

Three of the vulnerabilities can launch malicious code that allows an attacker to snoop on users. The other vulnerability is a DOS attack that will only work in a few cases and crash the media player when it tries to open a file.

Someone who's able to intercept the message as it's transmitted could inject some data, and then the person who verifies the signature would be told it's a valid, unaltered message.

We aren't aware of any systems that have been compromised yet, but it's likely to happen since there's exploit code out.

If there is one hole you'd grumble about the most, it would be that one.