Media players vulnerable to hacking

Media players in personal computers are vulnerable to hacking as online criminals can attach malicious code and infect computers, a research group based in San Francisco, the United States, has found.

As a result, audio and video downloads can be turned into digital weapons that hackers could use to hijack or corrupt computers.

David Thiel, a senior security consultant with iSEC Partners, announced his findings at the Black Hat hacker conference in Las Vegas, the United States.

According to Paul Proctor, vice-president (research) with Gartner Incorporated, the findings could pressure companies to investigate flaws in their media players and patch them quickly.

Online sharing of videos and music, which is at the centre of today’s internet lifestyle, gives hackers dangerous new avenues for attacking computers, security specialists say.

Malicious code can be hidden in video streamed or downloaded from websites such as YouTube or songs streamed from social-networking websites, including MySpace.

The potential for attack is pretty severe, David Thiel warned. “Any MySpace page you go to, you can’t get it to stop playing music at you. You will probably start seeing malware installs this way just like we see through images.”

The kinds of malware (malicious software) that can be ‘injected’ through video or music files run the gamut from programs meant to be annoying to code that takes command of infected machines for ‘bot armies.’

Thiel said stream formats are good for containing exploit code and are quite dangerous because of the widespread use of it with kids online these days, and they are used so constantly.

Applications vulnerable to hackers include those used for MP3 music files, a speech feature in Microsoft’s Xbox Live online video game software, and internet telephony.

Security specialists at Black Hat say the popularity of ‘user-generated content’ – considered a defining characteristic of today’s Web 2.0 internet – opens users to betrayal and attack online. Web 2.0 is a trust model, with users controlling the content.

Says a specialist: “You are building this gigantic network of friends. You have to trust that I am who I say I am and that the content is what I say it is. Trust is sometimes taken advantage of.”

Malware-tainted video or audio files uploaded to social-networking websites can be rapidly sent to members by automated programs.

In 2006, it was revealed that hackers use RSS (Really Simple Syndication) feeds to distribute malicious code to thousands of people instantly.

David Thiel believes that music recording labels and movie studios will use flaws in media files to insert stealth coding that tracks or disables pirated songs, shows or movies. Media software applications vulnerable to hacking are being used in ‘smart’ mobile telephones as well as cars and home multi-media systems.

It is imperative that computer users educate themselves regarding protecting software and dangers lurking on the internet, another specialist insisted. People should bear in mind that websites in certain countries such as Russia are often lures set up by cyber criminals, and websites offering content such as sex videos frequently hide computer viruses, he said.