Re: New year?
Hypothetically, if (and I have strong suspicions that this is the case based on what has to be fixed) the compromised QNAP devices are being compromised by a remote attacker and the issue doesn't exist in all firmware releases, the "millions of QNAP users" becomes thousands of QNAP users running firmware releses X.XX.XX to Y.YY.YY with service ZZZ exposed to the Internet". Service ZZZ is likely to be inbound HTTP/HTTPS from any Internet address.
If you restrict access from the Internet to your QNAP, you are likely to be OK.
This doesn't excuse QNAP's current response that seems a little inadequate, but then again, this isn't their typical support request so it may take a while for them to realise these aren't one off events caused by people installing fake updates (still possible) or users making devices accessible from the internet with default or weak admin credentials (also possible but based on some of the affected users in forums, they seem pretty technically aware).
Biting the hand that feeds IT
