If you read yesterday's New York Times article at http://www.nytimes.com/2007/11/17/technology/17code.html
that's referenced can be found at http://cryptome.org/bug-attack.htm
might be interested to know that the RSA implementation in Crypto++ is
already protected against this attack, even if a multiplication bug does
exist in the CPU.
I'm not sure why neither the article nor Shamir's paper mention this, but
it's been well known for some time that in order to protect against this
kind of fault attack, after doing the RSA private key operation y=x^d mod n,
one should check that the result is correct by verifying that x=y^e mod n.
Crypto++ has done this since version 5.1.