Seti@home is a scientific experiment that marshals the processing power of Internet-connected computers in the Search for Extraterrestrial Intelligence, or Seti. Participants install a free software program that downloads and analyses radio telescope data.
The Seti@home software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at the University of California, Berkeley.
The screensaver software contains a buffer overrun vulnerability in code that processes responses from the Seti@home server, according to Dutch student Berend-Jan Wever, who has issued a security advisory.
After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
The vulnerability affects all versions of the Seti@home client software, including those for the Microsoft Windows operating system, Apple's Macintosh operating system and versions of the Unix operating system.
The software running on the main Seti@home server at UC Berkeley contains a similar vulnerability.
A separate problem concerns the Seti@home client's transmission of information back to the Seti@home server. Wever discovered that all information from the Seti@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the Seti@home client.
Malicious hackers could collect the Seti@home data using any one of a number of common packet sniffing programs, providing useful information for planning a larger network attack.
The Seti@home team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release" .
The vulnerability would require attackers to "spoof" a fake Seti@home server and trick the software clients into connecting to it before they could be compromised. The Seti@home team knew of no previous attack on a client that used such a method, the Web site said.
However, clients could be tricked using spoofing tools or attacked from HTTP proxy servers or routers used by the Seti@home host machine.
More than four million Internet users have registered with Seti@home. Of those registered users, more than 500,000 are considered "active," having returned data to the main server within the past four weeks, according to the project's web page.