A security researcher recently found a potentially critical vulnerability in the program which drives the FastTrack network. FastTrack is used byand iMesh. , initially said the flaw was not serious, but has since done an about-face and plans to plug the loophole.
The makers of Kazaa released a patch Tuesday and are urging customers to install it as soon as possible.
According to the original security advisory, published on the Full Disclosure security mailing list, attackers can take control of or crash the FastTrack "supernodes" that file swappers connect to.
"It's definitely a serious risk. Just ask anyone if executing arbitrary code is a serious risk or not," the researcher told ZDNet Australia.
Identifying himself only by his pseudonym, Random Nut, he said he went public with the vulnerability after waiting nearly two weeks for Kazaa and Joltid to get back to him.
"On Tue 13 May I e-mailed a guy at Joltid, and about two days later I filed a bug report at (the Kazaa Web site). Yesterday, after reading it on Full Disclosure, someone working for Joltid contacted me. He told me that the guy I e-mailed had been on a long honeymoon," he said.
Although he has exploited the vulnerability, he will not make the exploit code public.
"I haven't released the exploit code. I don't want some little script-kiddie to close down all of the network or parts of it," he said.
A representative for Sharman Networks, the company behind Kazaa, told ZDNet Australia that the company had been informed by Joltid that the issue wasn't serious.
"As a licensee, Sharman Networks has been advised that the security of the FastTrack peer-to-peer technology is not under any significant risk," she said. Kazaa will use information provided to them by Joltid in authoring a patch.
"Sharman Networks, distributor of Kazaa Media Desktop, has made a patch prominently available on the Kazaa Media Desktop application to resolve a potential security vulnerability with FastTrack," the company said Tuesday in a statement. "Sharman Networks encourages all Kazaa Media Desktop users to download the patch at their earliest opportunity."
ZDNet Australia's Patrick Gray reported from Sydney.