March 15, 2005 4:32 PM PST
LimeWire security flaw found, fixed
According to Emin Gun Sirer, an assistant professor of computer science, the flaw could allow an intruder to read any file on the hard drive of a person running LimeWire, whether or not it has been deliberately shared with others using the software.
Lime Wire Chief Technology Officer Greg Bildson said the Cornell team notified the company of the flaw several weeks ago, and that the software has already been updated and a patch released to users. Any consumers who have not already updated their software should do so as soon as they come online, he added.
"Thankfully, we have no reports of any abuse of these flaws, and we were able to make fixes available quickly," Bildson wrote. "The Cornell researchers have shown again that open-source development is a benefit to finding and fixing these types of flaws."
File-sharing software has been castigated by entertainment companies and politicians for creating security risks for consumers, but typically through ordinary use of the software rather than due to genuine flaws.
Particularly with early versions of file-trading software, new users sometimes accidentally shared the entire contents of their hard drives with the rest of the network. As a result, private information ranging from credit card transactions to banking passwords could be exposed.
After pressure from Congress, most file-sharing programs have installed some warning to people to make it clear which directories are being shared, however.
The flaws in LimeWire, which Bildson said were inadvertently introduced in development last year, potentially would have allowed attackers to access private information without a person's knowledge.
According to Download.com, a software aggregation site owned by News.com publisher CNET Networks, LimeWire has been downloaded more than 42 million times.