Every program installed on users’ PCs exposes users to potential security risks — for any program can contain design flaws that let attackers take control of a user’s computer. But experience shows some kinds of programs to be far more risky than others. Frequent readers of my site won’t be surprised to learn that software from WhenU, distributed on WhenU’s own web site until mere weeks ago, is among the programs with security vulnerabilities that let attackers take over users’ PCs.
For details, see my new WhenU Security Hole Allows Execution of Arbitrary Software. I explain the specific WhenU software found to be vulnerable, and I show what an attacker would have to do to take advantage of the vulnerability.
Among advertisement-display programs, WhenU is not alone in its security vulnerabilities. Earlier this year, researchers from the University of Washington found similar vulnerabilities in software from Claria and eZula. (See their Measurement and Analysis of Spyware in a University Environment (PDF).)
Before releasing this research to the public, I alerted WhenU staff to the flaw in their software. WhenU staff acknowledged the security risks of the software I identified — saying the program was “obsolete” and claiming it was taken out of public distribution in September 2002, even as it remained on WhenU’s ordinary public web site until I brought it to their attention. In any event, my testing indicates that the vulnerable code has now been removed from WhenU’s site, and that vulnerable software installed on users’ PCs has been patched via WhenU’s auto-update system.
I’m releasing this research in preparation for tomorrow’s hearing entitled “Who Might Be Lurking at Your Cyber Front Door? Is Your System Really Secure?,” convened by the House Committee on Government Reform‘s Subcommittee on Technology, Information Policy, Intergovernmental Relations, and the Census. Spyware poses serious security risks of which users and policy-makers should be aware.