Sunday, December 04, 2005

LimeWire Security Hole Exposed and Remedied

Slyck News story dated March 14, 2005:

On the LimeWire.com homepage a curious message has recently appeared. On the upper left portion of the homepage, the text 'Security Update!! All LimeWire users of versions prior to 4.8 must upgrade' was posted. The lack of information, while potentially confusing to some, is method of self-protection when a serious exploit is discovered.
However, since a more mainstream audience has adopted LimeWire, the next move has been to release additional information to reach its extensive user base. LimeWire has also communicated the situation by sending upgrade messages to users of older versions. Slyck spoke with LimeWire COO Greg Bildson about the security flaw.
'LimeWire versions prior to our 4.8 release of two weeks ago contained a serious potential security flaw. Since April of 2004, it was possible to craft a HTTP request for an arbitrary file off the computer of an active user. The problem actually arose in two forms. Version 4.6 fixed half of the problem but it was only in version 4.8 that we fixed both problems. These flaws were pointed out to us by Cornell researchers reading through the open source code themselves.'
"We quickly created patches and addressed the problems immediately upon discovery. We have been shipping version 4.8 for two weeks but we strongly encourage all users to upgrade. If users have not yet upgraded to version 4.8, please do so."
"Let me outline the two specific problems. There was a bug introduced in LimeWire in April 2004 which could allow access to an arbitrary file off a user's hard disk. Based on this bug, a HTTP request could be crafted for a file on the same hard drive that LimeWire was installed on. Our 4.8 release on Feb 28 fixed this problem."
"A similar but slightly more invasive problem was introduced in July of 2004 as part of a new feature. Based on a flaw in the design of this code, a HTTP request could be crafted for a file across hard drives on a user's computer when actively running LimeWire. This problem was fixed in version 4.6 of LimeWire."
"Again, we strongly encourage all users to upgrade to LimeWire version 4.8.1 available now if they have not already done so."

Original Slyck News story

No comments: