I'm mostly clear on this, so I just want to make sure I'm 100%.
For the MtGox issue:
The issue arises if a bitcoin processor/exchange is refunding what appears to be a failed withdrawal back to a user's account. If they look in the blockchain for the transaction ID that corresponds to the withdrawal transaction they issued, they won't find it because their transaction's hash was changed prior to entering the blockchain. This is fundamentally the wrong way to deal with this issue. Once you issue a transaction, you're supposed to always assume that the transaction WILL go through unless you double-spend at least one input to the transaction and wait for that new transaction to confirm. Under no circumstance should you just issue a completely new transaction like MtGox did. That is how they lost some bitcoins.
Unlike the unspent change problem, this *did* allow Mt. Gox to lose Bitcoins because they simply issued a new transaction. Now, both the original transaction (or the mutated version of the original) AND the completely new transaction could be confirmed in the blockchain, thus giving the individual who started the withdrawal multiple times the amount of their original withdrawal, right?
Correct me if I'm wrong, but this also relates to whatever accounting practices Mt. Gox was using because they didn't realize that overall, the # of Bitcoin inputs into their wallets wasn't matching the outputs, and that apparently this had been happening over the last few years, right? (It also seems like they just generally had accounting or financial problems independent of this, seeing as they've now declared bankruptcy)
For the Bitcoin-Qt issue:
The issue arises if you are spending "change" from a transaction you just made that is still unconfirmed. If that original transaction gets mutated and confirmed with that mutation, the transaction that you made using change from the unmutated transaction can no longer go through.
I'm still a little unclear on what the problem is in this case. Say you spend change from a transaction that hasn't been confirmed yet. If the transaction is mutated, and that mutated transaction is confirmed, your original transaction won't go through. Is this just a problem because it allows a malicious user to DDOS part of the network (or part of the network) by submitting numerous duplicate transactions that won't cost them anything because the transactions still involve the same inputs and ouputs and only one will go through?
Basically, I'm confused as to how this is a double-spend problem because only one of the transactions will go through, so only that many Bitcoins will be sent/signed over. It's not possible for someone to use this to receive twice the number of Bitcoins that they have as unspent change, right?
For the Silk Road issue:
They just ran with the money and used the malleability issue as a cover. Don't think too much into their statements.
This was (and still is) my assumption, but has any evidence come to light supporting it? I haven't heard much about it since the initial report.
(I know Bitcoin isn't a system of address/wallet balances, and the thread that was linked to in the 2nd post of this thread was super helpful in clarifying that for me, so hopefully my terminology of "supply of outputs", for example, isn't too far off)
On a related note, the DDOS attacks that we've been hearing about are able to occur because malicious users can look at any transactions involving an exchange and create numerous mutated versions of those transactions, thus spamming the network. Is this correct?