Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Videos May Conduct Viruses

Posted by Zonk on from the tubes-are-just-full-of-surprises dept.

Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"

11 of 195 comments (clear)

  1. It's Indevitable. by TechyImmigrant · · Score: 4, Insightful

    Every new application that places a large footprint of code in the line of fire on the internet will be subject to attack.

    Media apps are big, hairy and process gobbets of data straight from the attacker's server. What did people expect?

    --
    Evil people are out to get you.
  2. Anyone seen any code? by grassy_knoll · · Score: 4, Insightful

    "The next logical step seems to be the media players," Rouland said.


    So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

    TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.
    --
    A Human Right
    1. Re:Anyone seen any code? by Technician · · Score: 2, Insightful

      So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

      TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.

      The FA was short on details, but from what I've seen in online video, there are 2 probable ways this is done. Most flash video sites require scripting to be on.. Duh there is a vector right there. Other sites insist you download their viewer (Untrusted software anyone?). With an untrusted viewer and scripting on, a video could easily launch this attack.

      --
      The truth shall set you free!
  3. They don't have to be by XanC · · Score: 5, Insightful

    What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

    All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

    1. Re:They don't have to be by satoshi1 · · Score: 3, Insightful

      Yes.

    2. Re:They don't have to be by UbuntuDupe · · Score: 2, Insightful

      Two words: money.

      Well, make that three: control.

      --
      Apology to Ubuntu forum.
    3. Re:They don't have to be by kebes · · Score: 5, Insightful

      All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??
      Actually it would be much, much easier to design a system that just exposed the URL for a standard video file. The user/browser could then either download it, or have a plugin that buffers and displays it inside the browser. This eliminates all kinds of problems both for the web developers and the user.

      But, of course, the real reason for using Flash-based players is that it acts as a weak form of DRM. The intention is to force the user to watch the video only at the site (with ads, etc.), and to not allow the user to take the video, transfer it elsewhere (e.g. iPod), edit out commercials, redistribute it, etc.

      Of course, we all know that it is possible to write a script that extracts the video... but it becomes a tiresome arms race. This is just another example of the fundamental tradeoff between the notion of "convenience" (for the user) and "control" (for the distributor). The user wants freedom. The distributor wants DRM.
  4. Re:The word by Woek · · Score: 1, Insightful

    Mod parent up, "virii" should be exterminated!

  5. Why should Flash have any kind of write access??? by G4from128k · · Score: 5, Insightful

    Why in the world should the Flash player have any kind of access/execution/write privileges on the browser's machine? I can understand that the player needs to be able to execute some form of code to create interactivity, but shouldn't this be so totally sandboxed that presents a minimal threat to the user or the OS.

    This just confirms my opinion that Flash is an evil cancer on the web designed to move control of the web experience from the person browsing to the Flash author (who maybe a botnet builder).

    --
    Two wrongs don't make a right, but three lefts do.
  6. Correction : WMV conducts viruses by Anonymous Coward · · Score: 2, Insightful

    Let's leave the MS-apologist spin out of the summary. Video has nothing to do with it:

    It's the WMV format that conducts the viruses.

  7. Re:How does this work?? by CoffeeIsMyGod · · Score: 2, Insightful

    It's a little bit more subtle than that. Here is a simple example: there could be a section of the file that is supposed to be 100 bytes long, null terminated. The program could read it in but some joker put 200 bytes and a null there instead and the program dutifly reads all 200 bytes into a 100 byte buffer. If the size isn't checked you could overflow the stack, overwrite the return pointer, and cause the function that read the bytes return execution into some bits of code that are storred in the buffer. Think of it as hijacking the execution process.

    Most media readers don't actually execute the media.

    Well, except for the embedded URL feature in Windows media... and Flash ActionScript... and...

    Oh dear.