Results 1 to 5 of 5

Thread: Media file Issue

  1. #1

    Media file Issue

    From http://www.securityfocus.com

    By Brian McWilliams, Newsbytes
    Feb 25 2002 10:32AM PT

    A quirk in media players from Microsoft and RealNetworks could enable attackers to hijack Web browsers and run scripts on the computers of some MP3 music fans.

    The trick has apparently been discovered by pornography sites and spammers, which have been seeding some music file trading services with bogus MP3 music files.

    One such MP3 file, ostensibly containing the music of the Los Angeles-based rock group Lifehouse, launched a pornographic video and generated a "massive" amount of pop-up ads when played back on the Windows Media Player from Microsoft, according to one newsgroup report.

    Tests by Newsbytes have shown that both the Windows Media Player and the RealOne Player from RealNetworks are susceptible to the attack, which involves creating a special multimedia file in the players' respective proprietary formats, and then renaming that file so that it has a .MP3 extension.

    Representatives of Microsoft and RealNetworks were not immediately available for comment.

    Because they cannot contain viruses or other malicious code, files in the MP3 format are generally trusted by Internet users, who freely swap such files with strangers over services such as Morpheus, Grokster and Kazaa.

    But security experts today said the popular players' handling of multimedia files could open a new door for "malware" writers.

    "With this feature, security holes in Internet Explorer are now exploitable from MP3 files," said Richard M. Smith, an Internet consultant and formerly chief technology officer for the Privacy Foundation.

    In fact, the booby-trapped MP3s circulating on file swapping services are not MP3s at all, but instead are camouflaged files in the proprietary formats created by Microsoft and RealNetworks.

    Both media firms have developed media formats that enable content developers to add hyperlinks and JavaScript code to their audio or video presentations.

    In tests by Newsbytes, both companies' media players ignored discrepancies between a file's actual media format and its file name extension.

    For example, a special multimedia file created by Newsbytes in Microsoft's proprietary .WMA format played back properly in the Windows Media Player after being renamed with a .MP3 extension. The demonstration launched Web pages in the listener's browser while an audio track played.

    Similarly, the RealOne player successfully launched a RealVideo file that had been renamed with a .MP3 extension and vice versa.

    According to Thor Larholm, a Danish security researcher, downloaded media files with embedded URLs and scripts are subject to the security features built in to Microsoft's Internet Explorer browser. Since such files are usually treated as local files by IE, they may have additional privileges that allow the files to run hostile ActiveX components and execute commands, he said.

    AOL Time Warner's WinAMP media player is not capable of playing such renamed files, nor are any other popular music players that do not support Real's and Microsoft's proprietary formats.

    Besides modifying their media players to ascertain whether a file's content matches its file name extension, Smith said Microsoft and RealNetworks could resolve the potential security issues by restricting the ability of music files to execute JavaScript or launch URLs.

    In response to a growing threat from malicious HTML e-mail messages, Microsoft has made similar changes to its Outlook e-mail reader, Smith said.

    Microsoft's information on embedding URLs in digital media files is available at http://msdn.microsoft.com/library/en...7_urlflips.asp .

    Real's page on synchronized multimedia is http://service.real.com/help/videoccg/synchmm.html .

    A demonstration of the issue is at http://www.pc-radio.com/camouflage.html .

    Reported by Newsbytes, http://www.newsbytes.com .



    © 2001 The Washington Post Company



    <tips@securityfocus.com>

    This one could get ugly if it's not patched

  2. #2
    AntiOnline Senior Member
    Join Date
    Oct 2001
    Posts
    514
    Excellent heads up! Good post!
    [shadow]uraloony, Founder of Loony Services[/shadow]
    Visit us at
    [gloworange]http://www.loonyservices.com/[/gloworange]

  3. #3
    Second good post of yours I've read in like 5mins - keep it up

    v_Ln

  4. #4
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Nice, like you didn't already know those media players were full of holes. I betcha M$ plays this one down a bit.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    742
    Good Post !

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •