The Christian Science Monitor          

Aug 2, 2007

Researcher Finds Media Player Flaws

By JORDAN ROBERTSON AP Technology Writer

LAS VEGAS (AP) -- Media players in personal computers have
serious vulnerabilities that could allow online criminals to
attach malicious code and infect computers without the user's
knowledge, a researcher said Thursday.

As a result, audio and video downloads can be turned into
digital weapons that hackers could use to hijack or corrupt
computers, said David Thiel, senior security consultant with
San Francisco-based researcher iSEC Partners.

Thiel, who exposed the flaws on relatively obscure open-source
media players during a presentation at the Black Hat hacker
conference, said he has found several flaws in popular
commercial players. But he declined to provide their brand
names because, he says, he is still disclosing the exploits to
the companies so they can issue fixes.

He isn't aware of any current attacks using the
vulnerabilities he's discovered but said they're hard to

"The actual potential for attack is reasonably severe because
nobody cares about actually playing videos from YouTube or
playing music on Web pages - you can't get music to stop
playing at you," he said. "Because this stuff is launched
automatically, I think the impact could be significant."

Paul Proctor, a research vice president with Gartner Inc.,
said Thiel's findings could pressure companies to investigate
flaws in their media players and patch them quickly.

Hackers have targeted media players before, Proctor said, but
Thiel's attacks appear to infiltrate the machines more deeply
and circumvent traditional Internet safeguards.

Thiel unveiled a new program using a technique called
"fuzzing" - corrupting the files used in applications in a
controlled way to find exploitable bugs - to identify
weaknesses in various media players.

"This is a new frontier for hacks," Proctor said. "The
straightforward, basic truth is that companies that make media
players of all types will have to become as vigilant."

Thiel and other programmers are exposing security
vulnerabilities during the two-day Black Hat conference and
will continue doing so at the three-day Defcon convention that
starts here Friday. So-called "white hat" hackers present
flaws to alert companies that their products are vulnerable to
pranks or serious attacks by malicious or "black hat" hackers.

Jeff Moss, director of Black Hat, said conference organizers
picked Thiel to present his findings because digital audio and
video files are becoming phenomenally popular on YouTube,
MySpace and other social networking sites.

"This is the next logical place to attack," Moss said. "People
know not to open strange documents, but they click on MP3s all
day long."

