Written by Paul Roberts, in the June issue of Australian PC World
Providing further proof of the adage that "No good deed goes unpunished", the SETI@home screen saver contains software vulnerabilities that could allow attackers to execute malicious code on machines running the popular program, according to an advisory released by a computer science student in The Netherlands.
SETI@home is a scientific experiment that marshals the processing power of internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). Participants install a free software program that downloads and analyses radio telescope data.
The SETI@home software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at University of California, Berkeley, in the US.
The screensaver software contains a buffer overrun vulnerability in coded that processes responses from the SETI@home server, according to Berend-Jan Wever, the 26-year-old student.
After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
A seperate problem concerns the SETI@home client's transmission of information back to the SETI@home server.
Wever discoverd that all information from the SETI@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the SETI@home client.
Malicious hackers could use the information for planning a larger network attack, according to the advisory.
The SETI@home team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release", according to the information o the SETI@home Webpage (http://setiathome.ssl.berkeley.edu/download.html).
The vulnerability would require attackers to "spoof" a fake SETI@home server and trick the software clients into connection to it b4 they could be comprimised. The SETI@home team knew of no previous attack on a client that used such a method, the Web site said.
More than 4 million Internet users have registered with SETI@home. Of those registered users, more than 500,000 are considered "active" having returned data to the main server within the previous four weeks, according to the project's Web page.
I just thought you ppl might find this an interesting read.
Providing further proof of the adage that "No good deed goes unpunished", the SETI@home screen saver contains software vulnerabilities that could allow attackers to execute malicious code on machines running the popular program, according to an advisory released by a computer science student in The Netherlands.
SETI@home is a scientific experiment that marshals the processing power of internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). Participants install a free software program that downloads and analyses radio telescope data.
The SETI@home software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at University of California, Berkeley, in the US.
The screensaver software contains a buffer overrun vulnerability in coded that processes responses from the SETI@home server, according to Berend-Jan Wever, the 26-year-old student.
After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
A seperate problem concerns the SETI@home client's transmission of information back to the SETI@home server.
Wever discoverd that all information from the SETI@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the SETI@home client.
Malicious hackers could use the information for planning a larger network attack, according to the advisory.
The SETI@home team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release", according to the information o the SETI@home Webpage (http://setiathome.ssl.berkeley.edu/download.html).
The vulnerability would require attackers to "spoof" a fake SETI@home server and trick the software clients into connection to it b4 they could be comprimised. The SETI@home team knew of no previous attack on a client that used such a method, the Web site said.
More than 4 million Internet users have registered with SETI@home. Of those registered users, more than 500,000 are considered "active" having returned data to the main server within the previous four weeks, according to the project's Web page.
I just thought you ppl might find this an interesting read.
Comment