Space Searcher SETI@home Has Bugs

Providing further proof of the adage "No good deed goes unpunished," the SETI@home screen saver has been found to contain vulnerabilities that could let attackers execute malicious code on PCs running the popular program, according to an advisory released by a computer science student in the Netherlands.

SETI@home is a scientific experiment that marshals the processing power of Internet-connected computers in the search for extraterrestrial intelligence (SETI).

Participants install a free software program packaged as a screen saver.

While the screen saver runs, the software downloads, analyzes, and uploads radio telescope data from a server at the University of California, Berkeley, host of the SETI@home project.

The SETI@home team has released patched client software, version 3.08, which was described as a "precautionary security release," according to information on the SETI@home Web page. (The SETI@home screen saver has also been updated in PCWorld.com's Downloads section).

Buffer Bug

The earlier version of the screen-saver software contains a buffer overrun vulnerability in code that processes responses from the SETI@home server, according to Berend-Jan Wever, the 26-year-old Dutch student who wrote the advisory.

After tricking the client into connecting to a server the attacker controls, an attacker could cause the buffer overrun by sending a long string of data followed by a "newline" character, Wever wrote.

The vulnerability affects all versions of the SETI@home client software, including those for the Microsoft Windows operating system, Apple Computer's Macintosh operating system, and versions of the Unix operating system.

The software running on the main SETI@home server at UC Berkeley contains a similar vulnerability, according to the advisory.

Hijacked Transmission

A separate problem concerns the SETI@home client's transmission of information back to the SETI@home server. Wever discovered that all information from the SETI@home client is sent out in plain text form. That information includes data on the operating system and processor type used by the machine running the SETI@home client.

Malicious hackers could collect the SETI@home data using any one of a number of common packet-sniffing programs, providing useful information for planning a larger network attack, according to the advisory.

The vulnerability would require attackers to "spoof" a fake SETI@home server and trick the software clients into connecting to it before they could be compromised. The SETI@home team knew of no previous attack on a client that used such a method, the Web site said.

However, clients could easily be tricked using spoofing tools or attacked from HTTP proxy servers or routers used by the SETI@home host machine, according to the advisory.

More than 4 million Internet users have registered with SETI@home. Of those registered users, more than 500,000 are considered "active," having returned data to the main server within the last four weeks, according to the project's Web page.