|
|
|
A Cornell research group has discovered serious vulnerabilities in a widely-used peer-to-peer file-sharing program. The weakness in LimeWire, a popular client for the Gnutella file-sharing network, would allow an intruder to read any file on a computer running the program, including confidential information and some password files. The problem occurs in both the free and paid versions of the program, in all operating systems. As soon as members of his research group noticed the problem, Emin Gun Sirer, Cornell assistant professor of computer science, immediately notified Lime Wire LLC, the company that distributes the software. “Lime Wire responded immediately and had a patch ready within a few hours,” Sirer reported. Patches are available for all versions except those that run on classic versions of the Mac OS, and the company is working on that, Sirer said. The most serious vulnerability affects LimeWire versions 4.1.2 through 4.4.5. It enables intruders to connect to a computer even through a firewall. A second vulnerability affects versions 3.9.6 through 4.6.0, but can be stopped by a firewall. Both vulnerabilities can be exploited without any special tools, Sirer said, through an ordinary telnet login. Like other Gnutella clients, the LimeWire program is designed to allow users to download music and video files shared through the Gnutella network, and also to allow the user to provide shared files to others. The glitch in the program unfortunately allowed remote users to retrieve other files, not just those in the user’s sharing folder. Sirer is a specialist in peer-to-peer systems. He and graduate student Kevin Walsh discovered the LimeWire problem while working on a new application, called Credence, that is intended to work with LimeWire to give users a way to determine how trustworthy upload sites may be. Credence allows users to share ratings of objects, similar to the ratings on Amazon, but with features that discourage dishonest ratings. The idea has applications to many other types of peer-to-peer networks, such as those in which distributed workers collaborate. “As systems scale bigger and there is more collaboration on the net, we are going to need systems for evaluating the statements made by peers,” Sirer explained. —Bill Steele |
