Researcher uncovers security flaws in media players
Last Updated: Friday, August 3, 2007 | 8:43 AM ET
The Associated Press
Related
Media players in personal computers have serious vulnerabilities that could allow online criminals to attach malicious code and infect computers without the user's knowledge, a researcher said Thursday.
As a result, audio and video downloads can be turned into digital weapons that hackers could use to hijack or corrupt computers, said David Thiel, senior security consultant with San Francisco-based researcher iSEC Partners.
Thiel, who exposed the flaws on relatively obscure open-source media players during a presentation at the Black Hat hacker conference in Las Vegas, said he has found several flaws in popular commercial players. But he declined to provide their brand names because, he says, he is still disclosing the exploits to the companies so they can issue fixes.
He isn't aware of any current attacks using the vulnerabilities he's discovered but said they're hard to track.
"The actual potential for attack is reasonably severe because nobody cares about actually playing videos from YouTube or playing music on web pages — you can't get music to stop playing at you," he said.
"Because this stuff is launched automatically, I think the impact could be significant."
Paul Proctor, a research vice-president with Gartner Inc., said Thiel's findings could pressure companies to investigate flaws in their media players and patch them quickly.
Hackers have targeted media players before, Proctor said, but Thiel's attacks appear to infiltrate the machines more deeply and circumvent traditional internet safeguards.
Thiel unveiled a new program using a technique called "fuzzing" — corrupting the files used in applications in a controlled way to find exploitable bugs — to identify weaknesses in various media players.
"This is a new frontier for hacks," Proctor said. "The straightforward, basic truth is that companies that make media players of all types will have to become as vigilant."
Thiel and other programmers are exposing security vulnerabilities during the two-day Black Hat conference and will continue doing so at the three-day Defcon convention that starts here Friday. So-called "white hat" hackers present flaws to alert companies that their products are vulnerable to pranks or serious attacks by malicious or "black hat" hackers.
Jeff Moss, director of Black Hat, said conference organizers picked Thiel to present his findings because digital audio and video files are becoming phenomenally popular on YouTube, MySpace and other social networking sites.
"This is the next logical place to attack," Moss said. "People know not to open strange documents, but they click on MP3s all day long.
Share Tools
Top News Headlines
- Everest victim's husband says family not seeking government help
- The husband of a Toronto woman who died trying to climb Mt. Everest on Saturday says his family is not seeking government help to cover the cost of bringing his wife's body home. more »
- B.C. premier unhappy with disgraced Mountie's transfer
- B.C. Premier Christy Clark says she is not happy with the RCMP decision to transfer a disgraced Alberta Mountie to the West Coast. more »
- Henrique's OT goal sends Devils into Stanley Cup final
- The New Jersey Devils will vie for a potential fourth Stanley Cup in franchise history after defeating the New York Rangers in six games in the Eastern final, courtesy of rookie Adam Henrique's goal early in overtime. more »
- Employment Insurance review boards to be scrapped
- The federal government is scrapping two review boards used by people appealing decisions made about their employment insurance. more »
Latest Technology & Science News Headlines
- Unloading of docked SpaceX capsule to start Saturday
- The privately bankrolled SpaceX Dragon capsule made a historic arrival at the International Space Station on Friday, and astronauts will begin unloading some of the 544 kilograms of food, water, clothing and other supplies its carrying starting Saturday. more »
- South Africa, Australia to share world's largest telescope
- South Africa and Australia will jointly host the Square Kilometre Array, which promises to be the world's largest telescope, the international consortium in charge of the project said Friday. more »
- Bonavista, N.L., 'coyote' was really wolf, tests confirm
- Wolves have not been seen in Newfoundland since around 1930 and were believed to have been hunted to extinction on the island, but genetic tests have confirmed that an 82-pound animal shot on the Bonavista Peninsula in March was, in fact, a wolf. more »
- Once-rare argus butterfly thriving thanks to climate change
- Global warming is threatening the existence of many species, such as the giant polar bear, but in the case of Britain's brown argus butterfly, it took a species in trouble and made it thrive. more »
- Yahoo scraps digital magazine designed for iPad
- Yahoo has killed Livestand, a tablet magazine, just six months after its debut on the iPad. more »
Bob McDonald's Blog
Government to shut down unique fresh water research area May. 25, 2012 12:31 PM The Experimental Lakes Area research facility in Northern Ontario is being closed down after 44 years of providing invaluable data to scientists in Canada and internationally, a decision that has stunned researchers and environmental groups.
Quirks & Quarks
- May 26: Before the Lights Go Out May. 25, 2012 4:15 PM A new book, "Before the Lights Go Out: Conquering the Energy Crisis Before It Conquers Us", suggests that the unpredictable, unplanned, ad-hoc way our energy use developed in the past will shape our energy future.
Latest Features
- Aylmer triple stabbing leads to first-degree murder charges
- Everest victim's husband says family not seeking government help
- B.C. premier unhappy with disgraced Mountie's transfer
- Third B.C. salmon farm quarantined
- What a Greek euro exit could mean for Canada
- RCMP officer charged in fatal crash
- Canada ending 'Buffalo shuffle' for visas, closing consulate
- Reclaiming the dead on Mt. Everest
- Employment Insurance review boards to be scrapped
