This is in response to the allegations made by the JoomLeaks actor in the mass email sent out to people who had created a user account on the JoomlaDonation site. For more information about this email please take a look at http://forum.joomla.org/viewtopic.php?f=714&t=866985
Executive summary: It is possible for a remote attacker to extract a remotely hosted archive while you are extracting a backup archive / installing an update, depending on your server settings. The attack is NOT possible at any other time. Merely having our software installed DOES NOT make your site vulnerable. The vulnerability was discovered and reported by Johannes Dahse of Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany.
It has come to our attention that GoDaddy has a very misleading post comparing security extensions for Joomla!, including Admin Tools. We want to address the blatant inaccuracies in that blog post.