Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Online Videos May Conduct Viruses

Zonk posted about 7 years ago | from the tubes-are-just-full-of-surprises dept.

Security 195

Technical Writing Geek writes "A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'"

cancel ×

195 comments

Sorry! There are no comments related to the filter you selected.

Erm (1)

ilovegeorgebush (923173) | about 7 years ago | (#20824887)

I thought this was obvious...

Re:Erm (3, Funny)

Ucklak (755284) | about 7 years ago | (#20825159)

Yeah, 1996 called, they want their virus distribution back.

I guess the researchers at Georgia Tech were 11 and younger when this was done before.

Re:Erm (2, Interesting)

Crayon Kid (700279) | about 7 years ago | (#20827493)

Yeah, 1996 called, they want their virus distribution back.
And yet it's so damn sad to see that in 10 years the industry has still not learned to do things right.

Good security starts from the design phase. If it was not meant to be hacked it should not be hacked. Security holes are mainly the fault and the responsability of the people who designed those buggy pieces of software.

And yet we see the media always blaming "hackers". Sure, they're assholes who try to break and enter. But it's like a bank leaving its vault wide open and allowing anyone in, and then complaining that some people stole the money.

Why don't the programmers fix the security holes? Why do they allow the holes to exist in the first place? Nobody seems to ask those questions. I suppose "hackers are at it again" makes better headlines than "bad engineers are at it again".

Correction : WMV conducts viruses (2, Insightful)

Anonymous Coward | about 7 years ago | (#20825275)

Let's leave the MS-apologist spin out of the summary. Video has nothing to do with it:

It's the WMV format [eweek.com] that conducts the viruses.

Correction : Everything conducts Viruses (4, Informative)

Repossessed (1117929) | about 7 years ago | (#20826503)

+That link suggests that it's Windows Media Player, rather than WMV, that's the problem, due to embedded IEness. It also specifically mentions quicktime as an exploitable format. It also says there are exploits in second life (that's a new one on me actually).

So, list of places windows users will probably pick up nastyware now includes... actually, anybody know of something that *won't* lead to malware with windows?

Re:Correction : Everything conducts Viruses (1)

kyofunikushimi (769712) | about 7 years ago | (#20827403)

"actually, anybody know of something that *won't* lead to malware with windows?"

BSD/Linux running under vmware, maybe?

Dammit! (3, Funny)

djasbestos (1035410) | about 7 years ago | (#20824907)

And I thought my porn was safe with AV and spyware/adware blockers and cookie cleaners and...

Re:Dammit! (1)

hahiss (696716) | about 7 years ago | (#20825705)

I guess this says that you probably should start wearing a condom as well.

Re:Dammit! (1)

Joebert (946227) | about 7 years ago | (#20828383)

Nah, at this point you just start using anti-bacterial soap & learn to spot people with the same, uhh, intrests you have.

Re:Dammit! (0)

Anonymous Coward | about 7 years ago | (#20826491)

Your porn is still safe. It's the non-porn videos that aren't.

It's Indevitable. (4, Insightful)

TechyImmigrant (175943) | about 7 years ago | (#20824933)

Every new application that places a large footprint of code in the line of fire on the internet will be subject to attack.

Media apps are big, hairy and process gobbets of data straight from the attacker's server. What did people expect?

They don't have to be (5, Insightful)

XanC (644172) | about 7 years ago | (#20825019)

What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

Re:They don't have to be (3, Insightful)

satoshi1 (794000) | about 7 years ago | (#20825095)

Yes.

Re:They don't have to be (2, Insightful)

UbuntuDupe (970646) | about 7 years ago | (#20825285)

Two words: money.

Well, make that three: control.

Re:They don't have to be (3, Funny)

vertinox (846076) | about 7 years ago | (#20826431)

Was the first word "ninja?"

Re:They don't have to be (1)

Chris_Jefferson (581445) | about 7 years ago | (#20825589)

Then they can't surround the video with ads, or do cool things like show "You would also like" after the video.

Also, having done some work on this kind of thing, you get your videos working on the most computers without having to make users do anything if you use flash. You might not like it, but it gets higher coverage than something like an mpeg.

Re:They don't have to be (1)

XanC (644172) | about 7 years ago | (#20825637)

You're certainly right about ads.

But won't most browsers talk to the default media player and play an MPG in the browser window when you click on it?

Re:They don't have to be (1)

kalirion (728907) | about 7 years ago | (#20825595)

Maybe same reason people want images embedded into webpages so that you don't have to download them to view in a seperate image viewer?

Re:They don't have to be (1)

XanC (644172) | about 7 years ago | (#20825685)

That should be up to the user agent. As far as I know, media player plugins by default play video in the web page, or at least pop right up when you click on a video.

Re:They don't have to be (1)

PitaBred (632671) | about 7 years ago | (#20828493)

So don't install flash, and don't play the videos. You can still use Lynx to browse the Internet, you know. It's still 100% up to the user agent. But you'll miss out on a lot. Besides, the flash video is more elegant than mpeg video in general, what with being able to easily custom-brand videos and such.

Re:They don't have to be (0)

Anonymous Coward | about 7 years ago | (#20825659)

Is that so danged difficult??

actually it is difficult...to understand the attitude of silly old c**ts like you.

you can shout any crap you like from the sidelines of the internet but try to keep in mind that you, and people like you, are largely irrelevant. =)

So...ten choice words - lose the tired anti-flash attitude and stfu you cretin.

Re:They don't have to be (5, Insightful)

kebes (861706) | about 7 years ago | (#20825693)

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??
Actually it would be much, much easier to design a system that just exposed the URL for a standard video file. The user/browser could then either download it, or have a plugin that buffers and displays it inside the browser. This eliminates all kinds of problems both for the web developers and the user.

But, of course, the real reason for using Flash-based players is that it acts as a weak form of DRM. The intention is to force the user to watch the video only at the site (with ads, etc.), and to not allow the user to take the video, transfer it elsewhere (e.g. iPod), edit out commercials, redistribute it, etc.

Of course, we all know that it is possible to write a script that extracts the video... but it becomes a tiresome arms race. This is just another example of the fundamental tradeoff between the notion of "convenience" (for the user) and "control" (for the distributor). The user wants freedom. The distributor wants DRM.

Re:They don't have to be (1)

Goaway (82658) | about 7 years ago | (#20827895)

No, the real real reason to use Flash players is that they work for the largest range of users. No other solution works as well, nor is as convenient.

Re:They don't have to be (1)

marcosdumay (620877) | about 7 years ago | (#20828293)

Standard video files used to work quite well before those flash player appeared.

Re:They don't have to be (2, Informative)

mha (1305) | about 7 years ago | (#20825701)

Hi,

I would like to add my opinion this time. Some time ago I started a new idea: building *multimedia* learning content. Sounds easy enough, only that I had some more goals. Among them was to build a community-based platform - as in "OWNED by the community", not a "web 2.0" startup.

By the way, the current state is at http://letexa.com/ [letexa.com] - I'm giving the URL because you can see what I'm going to talk about next in real-life examples.

So, I tried with HTML/Javascript. I always knew I had to use Flash vor the Video and/or Audio in any case. See the Change-Blog of the site for how it went. I ended up with an all-Flash solution.

BREAK - for those asking me why I want video/audio and that this is a huge waste: I want MULTIMEDIA, as I already said... yes, I add closed captioning but I'm iin the "MM" business. I don't want to join a discussion "everything should be text", you can sell your TV and radio if you like (I don't have a TV at home at all) and go all-newspaper if you like. I *like* producing MM content.

So how can I produce content for worldwide delivery, that I can distribute not only on the web but as standalone software too? Produce Videos, like it's done so often? No way. I want to add interactivity (I admit to having just two interactive examples on my page, of the few that are there in the first place, and only one of them is actually *really* interactive content and not just "if you click here another video starts"), .avi .mp4 or whatever don't help at all. Also, other advantages of Flash:

- It scales. Not just the vector contents, the pixel-contents scales too! That sounds strange, but what I mean is this: You can add pictures (and videos) to Flash that have way more pixels than needed at the chosen resolution. This is NOT useless, because if the user resizes the viewer (which you as the author have to allow in the code and which youtube and co don't do) the additional pixels are used!

- When I create multimedia content and not a technical manual or a news article I like being able to position all content at exact places and sizes (and have them scale all together, see above). Flash does that. To do the same in HTML I need to add LOTS of Javascript and recalculate positions, add hidden divs for resizing detection, etc. HTML was made for Universities and tech. TEXT articles/content, and trying to create all kinds of stuff like user interfaces with it is just a huge horrible hack. The JS libraries that exist are fine (YUI is my choice, etxjs(.com) seems great too (originally it was a YUI extension) but is for web-based apps only - while YUI takes care of "normal" websites too). However, the complexity is enormous, and has anyone ever thought about where all those GIGA(!)-hertz are going? I used to have a 486DX33 and that machine was FAST! Do we really get THAT much more today for all the additional power of PCs, or isn't it true most power is needed to power the many many many code and library layers?

- So to come back to Flash, what I also like about it that the Player is pretty lean compared to what it does.

- the integration Javascript-Flash (Actionsccript) is VERY good (and Actionscript is ECMA script like Javascript, but they try to hide the prototypipcal inheritance and make it appear to be a "classical" inheritance language... oh well.

- What is BAD about Flash: Adobe is a BIG company and VERY bad at reacting to individual problems. Instead of bugfixes you get a completely new release 8and have to pay them again, big time - I had to purchase Creative Suites 1, 2 and 3 so far... but I must admit I'm quite happy with it overall)

So to finish my long but somewhat confused comment (my problem is I always start way too may thoughts and then get lost - don't tell me you didn't notice :-) ), for *my* problem of producing multimedia content I still cannot think of anything else but Flash! I obviously *have* to use "multimedia", and webbrowsers don't do that (plus the other advantages mentioned above).

Yes, for showing nothing but ads or a menu that could easily be redone in HTML/JS I don't see a place for Flash, see www.ibm.com which is a 30% Flash page as of late... (what for???)

But to place the burden of the sins of content authors on the Flash platform, which can be VERY useful indeed (even more so if the format was under a BSD-license :-) ), is wrong IMHO.

Michael

Re:They don't have to be (1)

XanC (644172) | about 7 years ago | (#20825749)

That's fine and all, and it looks like you have a neat site. You're talking about building an app for a particular platform, Flash, and that's fine; you've got some bad and good and found what works for you. My complaint is about bog-standard video being buried under Flash for no particular reason.

Re:They don't have to be (1)

mha (1305) | about 7 years ago | (#20825825)

I forgot to mention that I like being able to use various pixel based content like videos or images in different resolutions and handled independently of one another, and vector based content. Plus, the link between everything is loose - made by Flash code (even if you produce an animation in the Flash authoring environment it is saved as code in the end).

If I wanted to produce one big (learning) video that would not matter, right, but even there I have an argument to keep the various content pieces separate: To put vector content into a video AND then use a highly compressing video codec *greatly* reduces quality. By keeping vectors as vectors I get the perfect quality on any device.

Second, for MY project I like to keep things seperate, because in the end I would like to have a platform for shared development of content. So the individual pieces like videos, audio, images, small animations, small quizes, etc., stay separate and can be individually reused in other contexts. My course player takes a behavior description of what/when/where to display the various pieces as one piece of learning content, keeping flexibility (it is possible to provide several versions of the same course simply by changing the behavior description, instead of having to recompile (into a monolithic video) the whole thing) and the greatest quality for each piece (a video is a given resolution and that's it for all times)!

Michael

Re:They don't have to be (1)

forkazoo (138186) | about 7 years ago | (#20825723)

What's wrong with posting MPG files for people to download? Every site these days is Flash video, or insists and assumes you're running a Web browser, wrapping their video file in Flash controls and burying the actual URL to the actual file people want to see under a dozen redirects.

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??


No, it's actually trivially easy to have both a flash player and a simple download link. They haven't invented any new magic that makes simple, correct, "old school" solutions not work. They just ignore them. ::sigh:: for the one or two videos I have on my website, this is exactly what I do, and also what I recommend for all my clients. For better or worse, I don't have many clients.

Control, Data mining, Money (1)

BlueParrot (965239) | about 7 years ago | (#20826041)

A number of things.

a)Most users don't realize it is easy to copy the flash movies from your /tmp ( or whatever the equivalent is on windows ) and thus it acts as a weak form of DRM, forcing people to return to the site since they don't know how to download a permanent copy.

b)Flash stores data on the client computer ( a bit like cookies ) which is used to snoo... errr... automatically obtain customer feedback.

c)Flash lets you have all kinds of annoying banners, clickable monkeys, advert overlays, etc ...

So in short:
Control, Data mining, Money

It won't end as such, but eventually competitors that offer a better/different type of service will appear. The old sites won't go away thou, because some people won't care about the adds and continue to use them. Sort of like you get tabloids, magazines and newspapers. At the end of the day, pick the ones you like and ignore the crap. I'm sure there is some firefox plugin which lets you block flash on all pages except the ones you explicitly whitelist ( will somebody link it since I'm ignorant about it ? ).

Re:They don't have to be (1)

vertinox (846076) | about 7 years ago | (#20826375)

All I want is the URL so I can play it with mplayer. I have no intention of putting Flash on my machine. Is that so danged difficult??

Do you promise to view all the ads on the site and to not direct link the MPG on your blog without crediting the source?

But seriously, the one nice thing about Youtube is that it gives me the ability upload video to a 3rd party site and not have some leecher hose my web server. Sure flash is crappy, but I think in the end... Most people with web servers were tried of people just using up all their bandwidth on direct linked files which is why Flickr, Photobucket, and Youtube are so popular.

$1,000 web hosting fees aren't funny after getting your funny video linked on Fark.

Re:They don't have to be (1)

XanC (644172) | about 7 years ago | (#20826521)

How does that have one thing to do with Flash? Send YouTube your video and they can host the embedded MPG.

Re:They don't have to be (0)

Anonymous Coward | about 7 years ago | (#20826727)

Then write some code to disable remote linking, it's not rocket science.

Re:They don't have to be (1)

mpcooke3 (306161) | about 7 years ago | (#20826687)

There are plenty of reasons, here are some:
    - Flash has better penetration than native MPEG players and native embedded players.
    - Gives a more consistent user experience regardless of OS/browser
    - It is guaranteed that most users will be able to work out how to play the video, even if they don't understand downloading or what an mpg is.
    - Guarantees that that the user can stay on the site and easily navigate elsewhere.
    - Gives less annoying advertising options than post/pre-roll ads.
    - Works even if the .mpg browser association or content-type mapping is out of date or wrong.
    - Works even if the native .mpg player is in a state where it is unable to play videos.

I would hazard a guess that there are more users of video sites who don't understand what MPEG or a native video player is, than geeks who want to access the underlying video stream.

Re:They don't have to be (1)

TheRaven64 (641858) | about 7 years ago | (#20827333)

I think 1997 was the last time I used a GUI web browser that couldn't play MPEG video. The problem with MPEG is that it's big. Flash video is not as good as something like H.264 in terms of video quality for size, but it's much better than MPEG-1, and much more widely supported.

Re:They don't have to be (1)

antdude (79039) | about 7 years ago | (#20827773)

MPEG files are bigger and have higher quality than Flash video format (FLV). People would have to wait longer to watch those MPEGs for those with slower Internet connections.

Indevitable? (2, Funny)

circletimessquare (444983) | about 7 years ago | (#20825055)

thufferin' thuccotas! that's a dethpicable sylvesterism!

Re:It's Indevitable. (1)

code shady (637051) | about 7 years ago | (#20825711)

Hasn't this already been done?
I seem to recall nefarious crackers using the myspace embedded video feature to serve up Windows Media files that took advantage of code execution in the Windows Media Player.
Or is this just new an interesting because it's flash, instead of WMV?

Re:It's Indevitable. (1)

nor_fariza (1162811) | about 7 years ago | (#20826421)

I have to agree with this. A simple line of code to play embedded media files may be manipulated to trigger an alarm. As simple as it may seem, when there's an authentication between systems, it is still vulnerable to any form of attacks. It's just a matter of how and when will it happen.

Anyone seen any code? (4, Insightful)

grassy_knoll (412409) | about 7 years ago | (#20824983)

"The next logical step seems to be the media players," Rouland said.


So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.

Re:Anyone seen any code? (0)

Anonymous Coward | about 7 years ago | (#20825217)

did you RTFA?

"One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened."

The article says that the report is part of a conference where security experts discuss new threats for the coming year and methods of dealing with it. Georgia Tech found a couple of examples of video being used as an attack vector.

Re:Anyone seen any code? (2, Informative)

grassy_knoll (412409) | about 7 years ago | (#20825281)

That's a redirection, not necessarily an infected FLV.

Re:Anyone seen any code? (0)

Anonymous Coward | about 7 years ago | (#20825679)

Most likely it was that .wmv attack from a while back where Microsoft's DRM allowed the video creator to specify a webpage for the video to display in order to obtain a license for that video. Playing the video made that page popup automatically.

Re:Anyone seen any code? (1)

datadigger (1014733) | about 7 years ago | (#20825623)

My PP (Peer Poster) is right. And redirections from within a media file are far from new. I wonder who patented this, he should be punished.

Re:Anyone seen any code? (2, Insightful)

Technician (215283) | about 7 years ago | (#20825629)

So, are they just guessing FLV may sometime become a virus vector? Has someone done a proof of concept?

TFA makes it sound like the Georgia Tech Information Security Center is making it up as they go along.


The FA was short on details, but from what I've seen in online video, there are 2 probable ways this is done. Most flash video sites require scripting to be on.. Duh there is a vector right there. Other sites insist you download their viewer (Untrusted software anyone?). With an untrusted viewer and scripting on, a video could easily launch this attack.

"could" (1)

deesine (722173) | about 7 years ago | (#20826117)

"With an untrusted viewer and scripting on, a video could easily launch this attack."

Could, is not does. The GP was simply asking for any evidence (you know, actual cases) of FlashVideo being used as a vector for attack. Two categories: possible attacks & actual attacks. Let's be clear which one we mean.

The word (4, Informative)

Anarke_Incarnate (733529) | about 7 years ago | (#20825023)

is viruses. Virii is made up. Go look it up. Viri is man, there is no "virii"

Re:The word (1, Insightful)

Woek (161635) | about 7 years ago | (#20825071)

Mod parent up, "virii" should be exterminated!

mod grandparent down (0)

Anonymous Coward | about 7 years ago | (#20826075)

News flash - computer viruses are computer code, not viruses.

Lets create a law saying anyone referring to the plural of "computer virus" has to use "computer viruses" in every instance.

Otherwise, make up a new term "virii" referring to computer viruses, and continue to use "viruses" for the biological ones to prevent cross contamination in database search results.

Yep. (0)

Anonymous Coward | about 7 years ago | (#20825177)

When people try to look smart by using incorrect words like "virii" they wind up looking both stupid and pretentious.

Way to go, Zonk. We're all really impressed.

Re:The word (3, Funny)

Anonymous Coward | about 7 years ago | (#20825433)

Correct. There is no virii.

Unless you find them on your boxen.

Re:The word (0, Offtopic)

Colin Smith (2679) | about 7 years ago | (#20825453)

All words are made up. Live with it... Or go learn telepathy.
 

Re:The word (1)

Bobb Sledd (307434) | about 7 years ago | (#20826065)

I knew you were going to say that.

Re:The word (2, Funny)

Anarke_Incarnate (733529) | about 7 years ago | (#20826821)

well, then all I have to say to you, sir, is Blahjk kniga nuok! covered in natalie portman

P.S. The g is silent, as is the first k and the last !

Re:The word (1)

pilgrim23 (716938) | about 7 years ago | (#20825655)

Vir is man. Viri is men (Latin)

Re:The word (1)

Anarke_Incarnate (733529) | about 7 years ago | (#20825977)

typo....... It happens with big hands and a foaming rant on my fingertips.

Re:The word (1)

deathy_epl+ccs (896747) | about 7 years ago | (#20826007)

You must be new around here.

Re:The word (1)

Anarke_Incarnate (733529) | about 7 years ago | (#20826791)

that would explain why my UID is so much lower than yours :)

Re:The word (0)

Anonymous Coward | about 7 years ago | (#20826309)

To go by the image, "virii" must be some breed of caterpillars.

Re:The word (1)

mjkjedi (717711) | about 7 years ago | (#20828023)

You mean I can't use virii to hax0r people's boxen? :P

Re:The word (1)

ConceptJunkie (24823) | about 7 years ago | (#20828627)

I don't have a problem with it being made up. I have a problem with it being stupid.

The word "virii" implies the singular is "virius" and is only used by clueless people who are dazzled by the double i's. If you are going extrapolate grammar and spelling constructs based on other languages, which is a time-honored hacker tradition [catb.org] , then at least be consistent about it.

Given that, by extrapolation from the word "radius", it then makes sense to talk about two Toyota "Prii", but two "viri", with one 'i' at the end.

Of course.... (3, Funny)

TechForensics (944258) | about 7 years ago | (#20825029)

... you don't have to worry if you run Linux!

Re:Of course.... (-1, Troll)

Anonymous Coward | about 7 years ago | (#20825239)

Well, at least not about viruses. You might have to worry about personal hygiene, eternal virginity, and never getting out of your parent's basement.

But yeah, not about getting a virus. Which is the most important thing, because if my entire social life revolved around being online, I'd want 5 9s uptime too!

the plural of virus is viruses (4, Informative)

kcokane (253536) | about 7 years ago | (#20825061)

in the text: ... with worms and virii....

note: there is no Latin plural for the word
virus (means slime, basically). the expected
plural, viri, is the plural of vir (man). the
plural of virus is viruses.

Re:the plural of virus is viruses (1)

Chyeld (713439) | about 7 years ago | (#20825409)

I'm surprised that this is not as well known as it is. Having had a feminist neighbor living next door for over five years now, one would think that it would be immediately obvious that the plural of slime would be men. Aren't the synonyms or something?

Re:the plural of virus is viruses (1)

trongey (21550) | about 7 years ago | (#20825515)

I'm surprised that this is not as well known as it is. ...

That looks like one of the best self-contradicting sentences I've never seen.

Re:the plural of virus is viruses (1)

spammacus (805242) | about 7 years ago | (#20826931)

Not to mention that even if there were a plural form it would certainly not be virii, since that suggests a singular of virius, which is nonsense.

Re:the plural of virus is viruses (0)

Anonymous Coward | about 7 years ago | (#20828051)

Actually, I believe the expected plural is vira (as "virus" is neuter). That doesn't really matter, as it's true that it was never used in the plural in Latin. Viruses is definitely the proper English plural.

Not IN the videos (0)

Anonymous Coward | about 7 years ago | (#20825113)

Flash player may conduct viruses. Or Real Player may conduct viruses. Or WMP may conduct viruses.

I have yet to see any evidence of the videos themselves containing viruses.

And linking to a malware site isn't a virus as well.

There's a lot of conjecture here. (3, Funny)

jackpot777 (1159971) | about 7 years ago | (#20825133)

Isn't this all a bit "Schrodinger's Cat"? These virii are half-written, half not written, and we only get to know which one it is if we open the video clip of Anna Kournikova...

Would the esteemed learning establishment care to debate if we will be living on the moon, wearing shiny suits, eating meal pills, flying around with our prsonal jet-packs? I for one want to know ...or at least have someone hypothesize if such a thing may be possible.

Hmmmm.

it's Flash Video, not 'flash media' (0)

Anonymous Coward | about 7 years ago | (#20825215)

hey 'technical writing geek,' you need a little schooling--'flash media' is something like a thumb drive or other non-disk storage space, while Flash Video is streaming video based on the Flash platform. you're welcome!

Why should Flash have any kind of write access??? (5, Insightful)

G4from128k (686170) | about 7 years ago | (#20825247)

Why in the world should the Flash player have any kind of access/execution/write privileges on the browser's machine? I can understand that the player needs to be able to execute some form of code to create interactivity, but shouldn't this be so totally sandboxed that presents a minimal threat to the user or the OS.

This just confirms my opinion that Flash is an evil cancer on the web designed to move control of the web experience from the person browsing to the Flash author (who maybe a botnet builder).

Re:Why should Flash have any kind of write access? (1)

Datamonstar (845886) | about 7 years ago | (#20825307)

I'm pretty sure that Bill Gates could come much closer to being the botnet king if he wanted to.

Re:Why should Flash have any kind of write access? (1)

homer_ca (144738) | about 7 years ago | (#20825757)

It's security vulnerabilities in old versions of Flash Player that make them vulnerable to malicious files. Here's one of the more severe ones: http://secunia.com/advisories/26027 [secunia.com] . It doesn't matter if the file has no executable content when the reader has a buffer overflow that can be exploited with a malicious file. Strictly speaking, the exploit is executable machine code.

The issue of executable or scriptable content in media files is something different. As other people pointed out, WMVs can have script a web event, like opening a browser to a certain page, but in that case, a malicious website would be exploiting your browser. The media player is just a vector to open that web page.

Re:Why should Flash have any kind of write access? (1)

CodeBuster (516420) | about 7 years ago | (#20826085)

The Flash player runs in memory as a process, or at least within the memory space of a host process, and it is taking a stream of data from an outside source according to a protocol. There must be methods for handling that data and if those methods are not carefully constructed then it it may be possible for a malicious user to smash the stack [securityforest.com] by sending carefully crafted packets to the host running the flash session. Now, most modern operating systems, even including Windows after the 9.x branch was retired, protect memory access on a per process basis so that the operating system itself cannot be compromised in this way. However, it may still be possible for an attacker to gain control of the Flash player itself and do anything which the flash player could do, including possibly reads and writes to certain files or calls to API functions. In this manner, when there were flaws found in the Windows API functions, the attacker might conduct a multi-stage attack whereby the Flash player is compromised first and then an Windows API function is called with another crafted exploit, piggybacking on the first attack, to complete the compromise. Every program that directly faces the network over a port is potentially subject to these types of attacks so this is not something special about Flash per se.

Re: Online Video May Conduct Viruses (3, Funny)

bogie (31020) | about 7 years ago | (#20825295)

Was it a morally corrupt web site? Those are the worst kind.

They are lying (-1, Redundant)

MarsDefenseMinister (738128) | about 7 years ago | (#20825331)

You can't download the virii from a video, because the virii are entirely fictional. It's viruses, dang it.

Not new (4, Informative)

packetmon (977047) | about 7 years ago | (#20825463)

This attack vector isn't new however its spreading more and more as time progresses. What I find to be a worst attack vector are the ad servers such as Doubleclick, Akamai, etc.:

Yahoo's Right Media had Trojans in banner ads
Posted by Elinor Mills

For several weeks starting in early August, visitors to MySpace, Photobucket, Bebo and other high-traffic Web sites were exposed to banner ads that contained Trojan horse software that could wreak havoc on a computer.

Web security company ScanSafe tracked the malicious ads back to Yahoo's Right Media network and estimates that they ran several million times, according to The Washington Post's Security Fix news site. (source [news.com]

Re:Not new (1)

OneMemeMofo (901314) | about 7 years ago | (#20825849)

From the article:
For several weeks starting in early August,...
The ads used Macromedia Flash files to exploit a hole in Microsoft's Internet Explorer browser that was patched in February.

So once again we see an alarm that could have been avoided if people patched their system...
I love stories like this, they remind me WHY I moved on from being a tech to being a programmer.

Re:Not new (1)

IhuntCIA (1099827) | about 7 years ago | (#20826387)

So once again we see an alarm that could have been avoided if people patched their system...
So once again we see an alarm that could have been avoided if people had erased the player from their system...

there ... I have corrected it for You.

Online video may conduct Virusses ? Old news ! (2, Informative)

Anonymous Coward | about 7 years ago | (#20825577)

Why is this posted as a supposedly novel discovery ?

A previous post allready mentioned WMV format has an on-purpose function build-in that lets it "phone home" (and retrieve whatever code it likes) without as much as a peep to the user.

The real issue here is not that some kind of "information" (movies, PDF's, etc) could harbour methods to retrieve (or even contain) the actual malicious code, but how the creators of those methods think that its a good idea to let their displaying-software "phone home" 1) whenever it likes 2) without notifying the user 3) without offering a way to disable it (it should be off by default if you ask me ...)

The solution.... (0, Flamebait)

Khyber (864651) | about 7 years ago | (#20825627)

Ban flash. Hell, ban all Adobe products - every bit of software they acquire seems to get revamped into crap, and minus photoshop all the software they develop is bloated and slow.

YES! FP (-1, Troll)

Anonymous Coward | about 7 years ago | (#20825731)

things I still shitheads. *BSD can no longer be the longest or OpenBSD. How many BE NIGGER! BE GAY! backwards. To the reciprocating win out; either the between each BSD world. GNNA members BE NIGGER! BE GAY! Nigger Association of events today, parti^es, but here vitality. Like an Baby take my Users all over the be a lot slower [nero-online.org] and mortifying she had no fear isn't a lemonade irc.secsup.org or a child knows that FreeBSD is metadiscussions are incompatible you loved that very distracting to mechanics. So I'm You down. It was that he documents give other people

Irony (1)

Thaelon (250687) | about 7 years ago | (#20825967)

irony:

Technical Writing Geek
A report on threats via the Internet released by a Georgia Tech research center indicates online video may be a new avenue of attack. As the popularity of flash media continues to explode, hackers may be targeting embedded video players and more traditional video downloads with worms and virii. 'One worm discovered in November 2006 launches a corrupt Web site without prompting after a user opens a media file in a player. Another program silently installs spyware when a video file is opened. Attackers have also tried to spread fake video links via postings on YouTube ... Another soft spot involves social networking sites, blogs and wikis. These community-focused sites, which are driving the next generation of Web applications, are also becoming one of the juiciest targets for malicious hackers.'
Emphasis mine.

Is there a tool to remove wrappers? (2, Interesting)

CranberryKing (776846) | about 7 years ago | (#20826089)

If for example a wmv file really contains and mpeg with some junk, is it enough to rename that whole file .mpeg or can you actually remove the junk. Something that does like a

$ cat wrapped.wmv | grep -v "http://spawnsomecrap.com/crap.html" > clean.mpeg ..except in a windows utility (or command?!.)?..

How does this work?? (1)

sherriw (794536) | about 7 years ago | (#20826295)

I never understood how this is even possible. Like vulnerabilities in image formats or video formats. How does this work? The media player, or image viewer, should be reading the bits in the file and display it as an image, or as video. Why do these bytes of data get executed? Who writes an application which opens an image file, reads the bits from the file and then EXECUTES it ?!?!?

I just don't get it. I'd love an explanation. Maybe it's like a website that takes user input and runs it as server side code... or some such. Just seems stupid to me. It should be impossible to have your video file executed...

Re:How does this work?? (2, Insightful)

CoffeeIsMyGod (1136809) | about 7 years ago | (#20826441)

It's a little bit more subtle than that. Here is a simple example: there could be a section of the file that is supposed to be 100 bytes long, null terminated. The program could read it in but some joker put 200 bytes and a null there instead and the program dutifly reads all 200 bytes into a 100 byte buffer. If the size isn't checked you could overflow the stack, overwrite the return pointer, and cause the function that read the bytes return execution into some bits of code that are storred in the buffer. Think of it as hijacking the execution process.

Most media readers don't actually execute the media.

Well, except for the embedded URL feature in Windows media... and Flash ActionScript... and...

Oh dear.

Re:How does this work?? (1)

sherriw (794536) | about 7 years ago | (#20826591)

Thank you so much for that example!!

Re:How does this work?? (0)

Anonymous Coward | about 7 years ago | (#20826629)

Why do these bytes of data get executed?

The most well-known way for this to happen is exploiting a buffer overflow vulnerability in the program doing the reading.

http://en.wikipedia.org/wiki/Buffer_overflow [wikipedia.org]

A basic explanation on how it can work:

When the image viewer (or whatever) is reading the data, it will store a reference to "what to do after it's done reading data." This is most likely to another function in the same image-viewing program.

Now, if the programmer isn't careful, the data they are reading might grow beyond what they expected. The program might continue loading the image data into memory without checking to see if they've read too much. Once this happens, the locations in memory around where the image data is stored can get overwritten by image data. This includes the reference of "what to do next." An attacker can craft an image to overwrite this location with anything they desire. Once the image loading function is done, it looks to see what to do next, and see what the attacker put into memory, and executes it.

The video IS the virus... (1)

Cragen (697038) | about 7 years ago | (#20826321)

most of the time. IMHO. I viewed video as the next necessary evil. Reminds me of how I avoided making purchases over the Internet for the first 5-7 years of its existence only to find that my wife, on her computer, had been making credit card purchases over the Internet the whole time. Ah, well. I now follow the really, really, really big school of itty bitty fish philosophy for lack of a better idea. (Well, that and my teens help keep my credit cards maxxed and my bank account empty.)

Thanks to Debian, I'm safe! (0)

Anonymous Coward | about 7 years ago | (#20826447)

Flash only ever works for about a week at a time on my Debian-64 system, before some

# apt-get dist-upgrade
borks it yet again.

Where's my sidecar? (0)

Anonymous Coward | about 7 years ago | (#20826755)

This sort of thing really gives me POOR IMPULSE CONTROL. >=(

Conduct? (1)

danhuby (759002) | about 7 years ago | (#20826843)

Shouldn't that be "contain" not "conduct" viruses? The use of the word conduct makes me thing the video is telling the virus what to do, or something. Or is it conduct like lightning? Still not a great analogy.

The article is almost bad with it's talk of video being a "conduit" for viruses.

Dan

Re:Conduct? (1)

deftcoder (1090261) | about 7 years ago | (#20827533)

Pointing out grammar errors and then using "it's" instead of "its" doesn't really help your case.

Third person singular pronouns do not use apostrophes for their possessive forms. e.g. his, hers, its

it's = it is

Rick Rolled (1)

rograndom (112079) | about 7 years ago | (#20826851)

Although it may be disturbing, that Rick Astley youtube video is pretty much harmless to your computer and should not be considered a "virus" per se.

Virii? (0, Redundant)

XantheKnight (986840) | about 7 years ago | (#20826907)

Ahem... I do believe the word virus is a fourth-declension latin derivative, where therefore its plural is viruses and not virii. Also the root would be vir- not viri- and so even if it were a second declension (-us noun) its plural would be viri, and not virii. Unfortunately, I believe viri is already the plural of the word vir, which means "man" (viri - men).

In soviet Russia (1)

rusher81572 (1005753) | about 7 years ago | (#20827859)

In soviet Russia, viruses conduct you!

Flash? No, blame Microsoft (0)

Anonymous Coward | about 7 years ago | (#20827897)

OK, disregard the trollish subject line...
Why blame Flash when MS's WMA and WMV formats are the biggest culprits of such exploits?

Stephenson (0)

Anonymous Coward | about 7 years ago | (#20828395)

No Snowcrash references...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?