[email protected] is a scientific experiment that marshals the processing power of Internet-connected computers in the Search for Extraterrestrial Intelligence, or Seti. Participants install a free software program that downloads and analyses radio telescope data.
The [email protected] software is packaged as a screensaver. While the screensaver runs, the software downloads, analyses and uploads radio telescope data from a data server at the University of California, Berkeley.
The screensaver software contains a buffer overrun vulnerability in code that processes responses from the [email protected] server, according to Dutch student Berend-Jan Wever, who has issued a security advisory.
After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.
The vulnerability affects all versions of the [email protected] client software, including those for the Microsoft Windows operating system, Apple's Macintosh operating system and versions of the Unix operating system.
The software running on the main [email protected] server at UC Berkeley contains a similar vulnerability.
A separate problem concerns the [email protected] client's transmission of information back to the [email protected] server. Wever discovered that all information from the [email protected] client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the [email protected] client.
Malicious hackers could collect the [email protected] data using any one of a number of common packet sniffing programs, providing useful information for planning a larger network attack.
The [email protected] team released a patched version of the client software, Version 3.08, which was described as a "precautionary security release" .
The vulnerability would require attackers to "spoof" a fake [email protected] server and trick the software clients into connecting to it before they could be compromised. The [email protected] team knew of no previous attack on a client that used such a method, the Web site said.
However, clients could be tricked using spoofing tools or attacked from HTTP proxy servers or routers used by the [email protected] host machine.
More than four million Internet users have registered with [email protected] Of those registered users, more than 500,000 are considered "active," having returned data to the main server within the past four weeks, according to the project's web page.