Lisa Home

Audio Formats and Website Security

SXSW/Music - C.L.E. Program - March 16, 2002

Sound-Checking Your E-Performance: How to Keep Your Artist's Web Site Sound and Secure

Lisa Rein (        Available online at:
Lisa Rein teaches XML for UC Berkeley Extension Online
and is a Contribution Editor for O'Reilly's and She is
also a singer/musician/songwriter with her own,
very simple music website at:

Short Biography:

What the threats are

Why pick on the Windows Advanced Streaming Format?

Microsoft has been posting patches to the same bug about every six months for the last four years (since 1999).

It would appear the bug is to large to be "patched" effectively, or they're not trying very hard. Who knows? And at this point: Who cares? It's just a bad idea to use .ASF files since they make your users susceptible to an attack.

Another issue of concern is that Microsoft keeps giving the bad reasons for why there's no danger of the bug being exploited. It's easier to explain why these are "bad" reasons in a table:

Microsoft ExcuseReality Check
Attacker would have to know the users specific Operating SystemWindows ASF files only play on Windows boxes, so that's an easy guess.
Attacker would have to "entice" or "convince" the user to open it and play it.Such "enticement" or "convincing" only amounts to the end user clicking on a hyperlink or a button on a page.
If the attacker wasn't particularly skillful, all their code would be able to do is crash the users system.So all your users know is your website was the last place they went before their whole system crashed and to not go there again. Great. (And they'll tell their friends.)
To cause any serious damage, the attacker would have to be skillful enough to actually replace lines in the player's executable code with the code of their choosing.Yep. That's what malicious code is all about: replacing a program's usual instruction set with the code of one's own design. That's why we call it a "security vulnerability."

Other Security Tips of Note

Lisa Home


General Security Links

Lisa Home