(1) Stealing the private key from a user's computer. By having hands-on access to the computer, the private key can be revealed by exporting it or analyzing the file it resides in.
(2) Using a fake CAPTCHA to download malware. This exploit uses a hidden file download request that is run by entering "R" (the first letter in the CAPTCHA word). In 2013, the vulnerability was found in IE 9 and 10 on Windows 7 and Chrome on Windows 8; however, other security controls may limit the attack from succeeding.