Lisa Rein.com Home
Rein teaches XML for UC Berkeley Extension Online|
and is a Contribution Editor for O'Reilly's
XML.com and OpenP2P.com. She is
also a singer/musician/songwriter with her own,
very simple music website at:
Contrary to popular belief, there is nothing inherently insecure about the MP3 Audio format.
The security risks come up based on the mode of delivery of the content itself, rather than the file format chosen.
It is how the files are accessed by the end user (file sharing systems, scripting, simple hyperlink or cgi upload/download) that can pose the security risk, rather than the file format. (With a few exceptions, like the Windows Advanced Streaming Format (ASF) -- which may just be too risky.)
The security risks that have been getting a lot of press lately (see below), only happen when File Sharing systems are coupled with browser-based scripting to control Media Players.
Vulnerabilities are with the scripting implementations coupled with Active X controls or spoofed to make a Windows-based system believe that a malicious component is an Active X control, thus giving the code the permissions that Windows allows Active X controls to have.
If you don't use scripting to launch browser controls in the process of launching a media player, such vulnerabilities can't be exploited.
The file extensions are all that is needed to launch most media players (.mp3, .wma, etc.) -- no scripting or .asx files etc. are needed.
Microsoft has been posting patches to the same bug about every six months for the last four years (since 1999).
It would appear the bug is to large to be "patched" effectively, or they're not trying very hard. Who knows? And at this point: Who cares? It's just a bad idea to use .ASF files since they make your users susceptible to an attack.
Another issue of concern is that Microsoft keeps giving the bad reasons for why there's no danger of the bug being exploited. It's easier to explain why these are "bad" reasons in a table:
|Microsoft Excuse||Reality Check|
|Attacker would have to know the users specific Operating System||Windows ASF files only play on Windows boxes, so that's an easy guess.|
|Attacker would have to "entice" or "convince" the user to open it and play it.||Such "enticement" or "convincing" only amounts to the end user clicking on a hyperlink or a button on a page.|
|If the attacker wasn't particularly skillful, all their code would be able to do is crash the users system.||So all your users know is your website was the last place they went before their whole system crashed and to not go there again. Great. (And they'll tell their friends.)|
|To cause any serious damage, the attacker would have to be skillful enough to actually replace lines in the player's executable code with the code of their choosing.||Yep. That's what malicious code is all about: replacing a program's usual instruction set with the code of one's own design. That's why we call it a "security vulnerability."|
Always do credit card transactions through trusted third parties.
Always encrypt form data or data collected via cookies (user registration info, user site use data).
Lisa Rein.com Home
Security holes found in Windows Media Player
November 27, 2000
By Terho Uimonen, IDG.net
Security Hole Patched in Windows Media Player: Microsoft calls flaw 'critical' but won't give details.
November 20, 2000
By Jaikumar Vijayan, Computerworld Online
Microsoft Security Bulletin MS01-056 Print
Windows Media Player .ASF Processor Contains Unchecked Buffer, Originally posted: November 20, 2001
MP3 Files Not Always Safe
February 25, 2002
Brian McWilliams, NewsBytes
FAQ in Real Player Buffer Overflow
Real Networks Web Site, January 2002
"The bug is essentially a parsing error in the player code associated with reading RM files, commonly known as a "buffer overrun" bug which could theoretically be used by hackers to adversely affect users.Ý The bug was fixed by improving the robustness of file parsing. When RealPlayer encounters files modified in the manner described by this exploit, it will now inform the user that the file is corrupt when played."
Crypto-gram Security Newsletter
Bruce is one of the leading security experts in the world and he can explain both the security vulnerabilities and the fixes for them very clearly and simply.
Lisa Rein.com Home