[ISN] Intruders in the Palace (chat software bug)

From: Brian Martin (bmartint_private)
Date: Sun Oct 04 1998 - 01:17:29 PDT

  • Next message: mea culpa: "[ISN] ISS Launches Industry's First Enterprise Security Decision-Support App"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.LNX.3.96.981004011637.5844ot_private>
    Intruders in The Palace
    by Niall McKay
    7:05 p.m.  2.Oct.98.PDT
    The Palace chat community faced a security threat this week, when it
    discovered a software bug that allowed servers to send any type of
    software code to a user's machine. 
    Electric Community, which bought The Palace this year, said that the bug
    has been fixed, but users need to update their client software to guard
    against the threat. The company discovered the security hole earlier this
    week, and issued the software fix on Friday. 
    Bryan Kerr, vice president of marketing and sales at Electric Communities,
    said no reports of users affected by the bug had been made. 
    "We sent out [an email] notice to users and our wizards list.... The
    nature of what we're doing is very distributed -- we've approached it in
    an open manner and communicate as quickly as we can," said Kerr. 
    The Palace is an online chat community where users are represented
    graphically by an avatar. About 300,000 people use the software, and
    community topics range from support operations for modem vendor 3Com to
    discussions of the TV show South Park. 
    The software is designed to download graphics and audio files that execute
    on the user's PC and interact with a user's avatar. However, due to a flaw
    in the software, there were no restrictions on the type of programs that
    could be transferred to a machine. 
    In this case, the bug could only be exploited by a rogue server operator
    sending malicious programs to a machines running The Palace client
    software.  The potential for damage includes rewriting a hard drive,
    uploading files, and crashing a machine. 
    "With the new software the client can only download and execute certain
    types of files -- such as graphics, audio, and HTML files," said Kerr. 
    "There is no way for a rogue server operator to get access to the user's
    hard disk." 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:06:06 PDT