Next message: mea culpa: "[ISN] ISS Launches Industry's First Enterprise Security Decision-Support App"
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime�t_private for more info.
--------------42C772BE3993
Content-Type: TEXT/PLAIN; CHARSET=us-ascii
Content-ID: <Pine.LNX.3.96.981004011637.5844o�t_private>
http://www.wired.com/news/print_version/technology/story/15401.html
Intruders in The Palace
by Niall McKay
7:05 p.m. 2.Oct.98.PDT
The Palace chat community faced a security threat this week, when it
discovered a software bug that allowed servers to send any type of
software code to a user's machine.
Electric Community, which bought The Palace this year, said that the bug
has been fixed, but users need to update their client software to guard
against the threat. The company discovered the security hole earlier this
week, and issued the software fix on Friday.
Bryan Kerr, vice president of marketing and sales at Electric Communities,
said no reports of users affected by the bug had been made.
"We sent out [an email] notice to users and our wizards list.... The
nature of what we're doing is very distributed -- we've approached it in
an open manner and communicate as quickly as we can," said Kerr.
The Palace is an online chat community where users are represented
graphically by an avatar. About 300,000 people use the software, and
community topics range from support operations for modem vendor 3Com to
discussions of the TV show South Park.
The software is designed to download graphics and audio files that execute
on the user's PC and interact with a user's avatar. However, due to a flaw
in the software, there were no restrictions on the type of programs that
could be transferred to a machine.
In this case, the bug could only be exploited by a rogue server operator
sending malicious programs to a machines running The Palace client
software. The potential for damage includes rewriting a hard drive,
uploading files, and crashing a machine.
"With the new software the client can only download and execute certain
types of files -- such as graphics, audio, and HTML files," said Kerr.
"There is no way for a rogue server operator to get access to the user's
hard disk."
--------------42C772BE3993--
-o-
Subscribe: mail majordomo�t_private with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30
: Fri Apr 13 2001 - 13:06:06 PDT