Security update: SETI@home screensaver 3.08

From:
http://www.theregister.co.uk/2003/04...ith_seti_home/

Dutch security researchers have discovered a set of security vulnerabilities with the
popular SETI@home program.

Various versions of the screensaver, which helps in the Search for Extraterrestrial
Intelligence by analysing data captured by the world's largest radio telescope, is
vulnerable to Information leakage and remotely exploitable buffer overflow flaw risks.

Clients on all platforms are subject to information leakage (the bug reveals the
processor type and OS of a user when work units are downloaded) and a buffer overflow
vulnerability. The main SETI@home server at shserver2.ssl.berkeley.edu "has been
confirmed" as vulnerable to denial of service attack through a similar buffer overflow
flaw.

Berend-Jan Wever, who discovered the vulnerability, explains that malicious attacks
based on the vulnerabilities are far from trivial.

"An attacker would have to reroute the connection the client tries to make to the
SETI@home webserver to a machine he or she controls," he writes in an advisory.

The SETI@home team said that "to our knowledge, no SETI@home client has ever been
attacked in this manner".

Nonetheless the issue has prompted the creation of version 3.08 of the screensaver,
described as a "precautionary security release".

There are currently over four million registered users of SETI@home, more than half a
million of whom have returned at least one result within the last four weeks. ®

External Links
http://spoor12.edup.tudelft.nl/SkyLi...ries/Seti@home

Information leakage and remotely exploitable buffer overflow in various SETI@home clients
http://setiathome.berkeley.edu/download.html

SETI@home

wrote in :

Nonetheless the issue has prompted the creation of version 3.08 of the
screensaver, described as a "precautionary security release".

Does that mean that the 4.03 version does not have this bug?

--
Ed

http://www.geeks.org/~ed/Usenet_Servers.html
strip to reply

Ed wrote:

wrote in :

Nonetheless the issue has prompted the creation of version 3.08 of the
screensaver, described as a "precautionary security release".

Does that mean that the 4.03 version does not have this bug?


This is very old 7 April 2003 news applying to the 3.03 version which is
probably still okay to run if your system is secure.

In message , Klaatu
writes
Ed wrote:

wrote in :

Nonetheless the issue has prompted the creation of version 3.08 of the
screensaver, described as a "precautionary security release".

Does that mean that the 4.03 version does not have this bug?


This is very old 7 April 2003 news applying to the 3.03 version which is
probably still okay to run if your system is secure.

I'm wondering why the OP is posting that at all. And I wonder if his ISP
knows he is using that address, presumably to generate spam :-)

Klaatu wrote:
Ed wrote:
wrote in :
Nonetheless the issue has prompted the creation of version 3.08 of the
screensaver, described as a "precautionary security release".

Does that mean that the 4.03 version does not have this bug?

This is very old 7 April 2003 news applying to the 3.03 version which is
probably still okay to run if your system is secure.

More so if you're running through SetiQueue!


And now, we're all on Boinc...

Strange the things some people post!!

Happy crunchin',
Martin


--
---------- OS? What's that?!
- Martin - To most people, "Operating System" is unknown & strange.
- 53N 1W - Mandrake 10.0.1 GNU Linux
---------- http://www.mandrakelinux.com/en-gb/concept.php3

Ed wrote:
wrote in :

Nonetheless the issue has prompted the creation of version 3.08 of the
screensaver, described as a "precautionary security release".

Does that mean that the 4.03 version does not have this bug?

3.08 = SETI@home I
4.03 = BOINC / SETI@home II

BOINC handles communications


--
Robi
(3.7#@ 3.42 yrs)