PuTTY, a great little freeware SSH client, has had a security update. Anyone who uses PuTTY should upgrade to version 0.56.

PuTTY 0.56, released today, fixes a serious security hole which can allow a server to execute code of its choice on a PuTTY client connecting to it. In SSH2, the attack can be performed before host key verification, meaning that even if you trust the server you think you are connecting to, a different machine could be impersonating it and could launch the attack before you could tell the difference. We recommend everybody upgrade to 0.56 as soon as possible.

That’s two really bad holes in three months. I’d like to apologise to all our users for the inconvenience.

Considering Simon Tatham & his team do all this work for free, I don’t think he should be too upset. The fact that they patched the flaws almost immediately speaks volumes for their commitment & integrity. Kudos to you!