In the rush to clean up the debian-openssl fiasco, a number of other major security holes have been uncovered:
Fedora Core: Vulnerable to certain decoder rings
Xandros (EEE PC): Gives root access if asked in a stern voice
Gentoo: Vulnerable to flattery
OLPC OS: Vulnerable to Jeff Goldblum's Powerbook
Slackware: Gives root access if user says Elvish word for "friend"
Ubuntu: Turns out distro is actually just Windows Vista with a few custom Themes.
These vulnerabilities are as bad as it gets. They don’t require any user interaction, they affect the default configuration, and the software runs at the highest privilege levels possible.
[...]
Because Symantec uses a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link to an exploit is enough to trigger it - the victim does not need to open the file or interact with it in anyway. Because no interaction is necessary to exploit it, this is a wormable vulnerability with potentially devastating consequences
[...]
It’s a 100% reliable remote exploit, effective against the default configuration in Norton Antivirus and Symantec Endpoint, exploitable just from email or the web. As the bug is in the core scan engine’s decomposer library, all Symantec and Norton branded products are affected.
[...]
Symantec dropped the ball here. A quick look at the decomposer library shipped by Symantec showed that they were using code derived from open source libraries [...], but hadn’t updated them in at least 7 years.
