This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mimet_private for more info. --------------42C772BE3993 Content-Type: TEXT/PLAIN; CHARSET=us-ascii Content-ID: <Pine.LNX.3.96.981004011637.5844ot_private> http://www.wired.com/news/print_version/technology/story/15401.html Intruders in The Palace by Niall McKay 7:05 p.m. 2.Oct.98.PDT The Palace chat community faced a security threat this week, when it discovered a software bug that allowed servers to send any type of software code to a user's machine. Electric Community, which bought The Palace this year, said that the bug has been fixed, but users need to update their client software to guard against the threat. The company discovered the security hole earlier this week, and issued the software fix on Friday. Bryan Kerr, vice president of marketing and sales at Electric Communities, said no reports of users affected by the bug had been made. "We sent out [an email] notice to users and our wizards list.... The nature of what we're doing is very distributed -- we've approached it in an open manner and communicate as quickly as we can," said Kerr. The Palace is an online chat community where users are represented graphically by an avatar. About 300,000 people use the software, and community topics range from support operations for modem vendor 3Com to discussions of the TV show South Park. The software is designed to download graphics and audio files that execute on the user's PC and interact with a user's avatar. However, due to a flaw in the software, there were no restrictions on the type of programs that could be transferred to a machine. In this case, the bug could only be exploited by a rogue server operator sending malicious programs to a machines running The Palace client software. The potential for damage includes rewriting a hard drive, uploading files, and crashing a machine. "With the new software the client can only download and execute certain types of files -- such as graphics, audio, and HTML files," said Kerr. "There is no way for a rogue server operator to get access to the user's hard disk." --------------42C772BE3993-- -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:06 PDT