No announcement yet.

SETI@home fixes hole

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • SETI@home fixes hole

    Written by Paul Roberts, in the June issue of Australian PC World

    Providing further proof of the adage that "No good deed goes unpunished", the SETI@home screen saver contains software vulnerabilities that could allow attackers to execute malicious code on machines running the popular program, according to an advisory released by a computer science student in The Netherlands.
    SETI@home is a scientific experiment that marshals the processing power of internet-connected computers in the Search for Extraterrestrial Intelligence (SETI). Participants install a free software program that downloads and analyses radio telescope data.
    The SETI@home software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at University of California, Berkeley, in the US.
    The screensaver software contains a buffer overrun vulnerability in coded that processes responses from the SETI@home server, according to Berend-Jan Wever, the 26-year-old student.
    After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
    A seperate problem concerns the SETI@home client's transmission of information back to the SETI@home server.
    Wever discoverd that all information from the SETI@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the SETI@home client.
    Malicious hackers could use the information for planning a larger network attack, according to the advisory.
    The SETI@home team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release", according to the information o the SETI@home Webpage (http://setiathome.ssl.berkeley.edu/download.html).
    The vulnerability would require attackers to "spoof" a fake SETI@home server and trick the software clients into connection to it b4 they could be comprimised. The SETI@home team knew of no previous attack on a client that used such a method, the Web site said.
    More than 4 million Internet users have registered with SETI@home. Of those registered users, more than 500,000 are considered "active" having returned data to the main server within the previous four weeks, according to the project's Web page.

    I just thought you ppl might find this an interesting read.

  • #2
    I'm sorry sis but who uses the screensaver version? :confused:

    Commandline is the way to run SETI. :thumb:

    Comment


    • #3
      I don't know what you guys use.
      Just thought it might be enlightening for someone that may use it.

      Comment


      • #4
        Thanks for the Info WS!

        Comment


        • #5
          I'll be happy if the information helps "just" one person to secure their comp just that little bit more.

          Comment


          • #6
            Well there are still a few usin' it sadly but we'd rather them use the cmdline.exe as the rewards are both much quicker crunchin' and much much less system conflicts. ;)

            Comment

            Working...
            X