http://www.wired.com/news/print_version/technology/story/15401.html
Intruders in The Palace
by Niall McKay
7:05 p.m. 2.Oct.98.PDT
The Palace chat community faced a security threat this week, when it
discovered a software bug that allowed servers to send any type of
software code to a user's machine.
Electric Community, which bought The Palace this year, said that the bug
has been fixed, but users need to update their client software to guard
against the threat. The company discovered the security hole earlier this
week, and issued the software fix on Friday.
Bryan Kerr, vice president of marketing and sales at Electric Communities,
said no reports of users affected by the bug had been made.
"We sent out [an email] notice to users and our wizards list.... The
nature of what we're doing is very distributed -- we've approached it in
an open manner and communicate as quickly as we can," said Kerr.
The Palace is an online chat community where users are represented
graphically by an avatar. About 300,000 people use the software, and
community topics range from support operations for modem vendor 3Com to
discussions of the TV show South Park.
The software is designed to download graphics and audio files that execute
on the user's PC and interact with a user's avatar. However, due to a flaw
in the software, there were no restrictions on the type of programs that
could be transferred to a machine.
In this case, the bug could only be exploited by a rogue server operator
sending malicious programs to a machines running The Palace client
software. The potential for damage includes rewriting a hard drive,
uploading files, and crashing a machine.
"With the new software the client can only download and execute certain
types of files -- such as graphics, audio, and HTML files," said Kerr.
"There is no way for a rogue server operator to get access to the user's
hard disk."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Mon Oct 5 08:51:01 1998