The project, which allows desktop and workstation users to contribute processing time to the search for extraterrestrials, issued the new distributed client on Friday. It fixes a buffer overflow vulnerability that could allow an attacker to take control of a computer just by sending specially formatted Web requests.
The flaw is one of three reported to Seti@home by a Dutch security researcher last December. The three vulnerabilities only became public knowledge this weekend.
"This has been tested with various versions of the client," Berend-Jan Wever, a 26-year-old computer-science student from Delft University and the researcher who found the flaw, stated on his Web site. "All versions are presumed to have this flaw in some form."
SETI@home software has been installed on more than 4.4 million registered users' desktops and has between 500,000 and 600,000 active users, according to the SETI@home Web site. The group defines an "active" user as one from which they have received a calculated result in the past month.
The vulnerability affects all versions of the client, including the Windows screensaver, the MacOS screensaver and the Linux and Unix command-line clients. The flaw requires that the attacker either successfully create a fake SETI@home server and route the victim there, or take control of one of the project's own Web servers.
SETI@home stated that those caveats make an attack unlikely. "The vulnerability involves a scenario in which hackers are able to impersonate the SETI@home data server, that is, trick the client into communicating with a fake server," said David Anderson, director of the SETI@home project. "This scenario has never happened, as far as we know."
However, Wever pointed out that software to help an attacker reroute a victim's communications already exists.
"This can be done using various widely available spoofing tools," he noted on his Web site. "An attacker could also use the machine the proxy runs on as a base for this attack."
Wever and SETI@home both recommend that users download the latest software from the project's Web site. In addition, SETI@home software users can download a patch from its Web site. The command-line versions of the software for Windows, Linux and Solaris will be available later on Monday, said SETI@home's Anderson. Information about the security flaw has been sent to open-source projects that have created other versions of the software as well.
The Dutch security researcher pointed out two other flaws in the SETI software. One involves the amount of information sent unencrypted by the client to the server. The information includes a great deal of information about the computer running the client, Wever noted, and should be considered a flaw.
The other flaw, apparently in the SETI@home servers, could let an attacker compromise the main servers, the Dutch researcher said. That would allow all SETI@home clients to be exploited, if the flaw could be exploited. E-mails to Wever were not immediately answered.
SETI@home's Anderson, however, stressed that the server vulnerability had been fixed nearly two months ago using information Wever provided.
The SETI@home project usesto analyze radio-telescope data. The client software, in the form of a screensaver, downloads raw data collected by the telescope and scours it for intelligent signals embedded in it.
This type of number crunching is computationally intensive. But with around 4.3 million users, the researchers are able to make the most of the world's idle processing power, logging 48 teraflops, or floating point operations per second.
The SETI Web site explains the logic: "While you are getting coffee, or having lunch or sleeping, your computer will be helping the Search for Extraterrestrial Intelligence by analyzing data specially captured by the world's largest radio telescope."
Web designer Sean Rainey of Melbourne, Australia, has used the SETI client for about two years.
He joked that intelligent extraterrestrials may have used the vulnerability already in order to smudge the project's findings. "It's clear as day," he said. "They're quite happy just being left alone."
ZDNet Australia's Patrick Gray reported from Sydney.