Slashdot Mirror
Online Videos May Conduct Viruses
Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"
is viruses. Virii is made up. Go look it up. Viri is man, there is no "virii"
in the text: ... with worms and virii....
note: there is no Latin plural for the word
virus (means slime, basically). the expected
plural, viri, is the plural of vir (man). the
plural of virus is viruses.
Kevin O'Kane http://www.cs.uni.edu/~okane/
This attack vector isn't new however its spreading more and more as time progresses. What I find to be a worst attack vector are the ad servers such as Doubleclick, Akamai, etc.:
Yahoo's Right Media had Trojans in banner ads
Posted by Elinor Mills
For several weeks starting in early August, visitors to MySpace, Photobucket, Bebo and other high-traffic Web sites were exposed to banner ads that contained Trojan horse software that could wreak havoc on a computer.
Web security company ScanSafe tracked the malicious ads back to Yahoo's Right Media network and estimates that they ran several million times, according to The Washington Post's Security Fix news site. (source
Infiltrated dot Net
+That link suggests that it's Windows Media Player, rather than WMV, that's the problem, due to embedded IEness. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually).
So, list of places windows users will probably pick up nastyware now includes... actually, anybody know of something that *won't* lead to malware with windows?
Liberte, Egalite, Fraternite (TM)
This is just FUD - but obviously this is Slashdot so who cares about facts anyway?
The truth is that the Flash player has actually a pretty draconian sandbox:
1. A flash movie can not write to disk or execute any command. Period. It only has a "cookie" mechanism to store info on user's computer but the user can allow/deny the action and allocate a quota for that info. The cookie is saved in the user's Documents and Settings folder (and the Mac/Linux equivalent), e.g. "C:\Documents and Settings\user\Application Data\Macromedia\Flash Player\#SharedObjects\LQ93AHGQ\www.youtube.com" The flash app cannot control the location or the file name.
2. A flash movie can't simultaneously have read access from the local file system and the Internet. What I mean is - either a flash movie loads a local file (text, xml, jpg, flv, etc) or it can communicate with a site (load URL, send variables with GET/POST, invoke a WS, etc) - but it cannot do both of them. A user has to go to Adobe website and specifically trust an application in order for that app to have more access.
3. Flash movies can't read the clipboard.
4. Access to microphone/webcam is disabled by default and must be enabled on a per-URL basis.
Anyone who RTFA knows that it's not about exploits inside the video stream, it's about fake links.
Now, I'm pretty sure I just wasted 10 minutes of my time trying to dispel some myths, because the average Slashdot user is too busy hating Flash and worshiping Steve Jobs. Mod me down, or better yet, just ignore this post and keep on living inside your bubble.