The danger is that someone with admin privileges (and many places still have users with local admin rights on their own machines) gets exploited by this flaw and this leads, at the minimum, to an installation vector for more malicious software to piggyback on. Further, that characterization of IT security types is insulting. ________________________________ From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Malcolm Bruton Sent: Friday, March 02, 2007 3:29 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix Client v10 Security people are like chickens. They flap about a lot but don't always understand the problems because their brains are too small. Sometime it's juts easiest to get on with the request rather than make them see sense. Anyway going to 10 suits us long term because we'll just have to do it at some stage anyway. Thanks for all the feedback guys. From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Andrew Wood Sent: 01 March 2007 22:24 To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Citrix Client v10 "The Citrix Presentation Server Client for Windows includes support for making ICA connections through proxy servers. An implementation flaw in this functionality may allow an attacker to execute arbitrary code in the context of the client process." Surely that's only going to run in the context of the user - so the major worry there is what? From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Malcolm Bruton Sent: 01 March 2007 16:20 To: thin@xxxxxxxxxxxxx Subject: [THIN] Citrix Client v10 Anyone been brave enough yet for deployment? http://support.citrix.com/article/CTX112589 Conveient that citrix have released this article and asked to upgrade to v10 to fix..... Of which I already have our security team asking about upgrading Malcolm