View Full Version : [email protected] fixes hole

05-27-2003, 08:59 PM
Written by Paul Roberts, in the June issue of Australian PC World

Providing further proof of the adage that "No good deed goes unpunished", the [email protected] screen saver contains software vulnerabilities that could allow attackers to execute malicious code on machines running the popular program, according to an advisory released by a computer science student in The Netherlands.
[email protected] is a scientific experiment that marshals the processing power of internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). Participants install a free software program that downloads and analyses radio telescope data.
The [email protected] software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at University of California, Berkeley, in the US.
The screensaver software contains a buffer overrun vulnerability in coded that processes responses from the [email protected] server, according to Berend-Jan Wever, the 26-year-old student.
After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
A seperate problem concerns the [email protected] client's transmission of information back to the [email protected] server.
Wever discoverd that all information from the [email protected] client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the [email protected] client.
Malicious hackers could use the information for planning a larger network attack, according to the advisory.
The [email protected] team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release", according to the information o the [email protected] Webpage (http://setiathome.ssl.berkeley.edu/download.html).
The vulnerability would require attackers to "spoof" a fake [email protected] server and trick the software clients into connection to it b4 they could be comprimised. The [email protected] team knew of no previous attack on a client that used such a method, the Web site said.
More than 4 million Internet users have registered with [email protected] Of those registered users, more than 500,000 are considered "active" having returned data to the main server within the previous four weeks, according to the project's Web page.

I just thought you ppl might find this an interesting read.

05-28-2003, 03:17 PM
I'm sorry sis but who uses the screensaver version? :confused:

Commandline is the way to run SETI. :thumb:

05-28-2003, 04:03 PM
I don't know what you guys use.
Just thought it might be enlightening for someone that may use it.

06-03-2003, 12:43 PM
Thanks for the Info WS!

06-06-2003, 05:12 PM
I'll be happy if the information helps "just" one person to secure their comp just that little bit more.

06-06-2003, 06:14 PM
Well there are still a few usin' it sadly but we'd rather them use the cmdline.exe as the rewards are both much quicker crunchin' and much much less system conflicts. ;)