New Security Holes Put PC Users at Risk

The media streaming security issues highlighted at the Black Hat conference point to the need for media player vendors to keep up to date on their patches, said Gartner's Paul Proctor. "If you can find a vulnerability in a codec -- one that can pass executable code through to the media player -- then anybody can insert that into a Web site."

The next wave of hacker attacks seeking to exploit unaware PC users might come from an unexpected source: streaming media files.

During his presentation at the Black Hat conference in Las Vegas last week, iSEC security researcher David Thiel noted that when Web surfers go to a video content site such as MySpace or YouTube, there is no way to get the multimedia content to shut off. This lack of control represents a method that hackers could potentially exploit to install malicious software on PCs without the computer owner's knowledge.

"Thiel has been playing around with vulnerabilities that exist in the codecs for media players," explained Gartner research vice president Paul Proctor. "If you can find a vulnerability in a codec -- one that can pass executable code through to the media player -- then anybody can insert that into a Web site."

Risky Business
"The bad guys seem to gravitate around the porn sites, which already are all about streaming video and sound, so they are a likely place for somebody getting attacked because the criminals are already there," Proctor said. "It points to the need for the media player vendors out there to keep up to date on their patches."

Turning off the various types of media may be another option, Proctor added, but that would "change your Web experience quite a bit."

Streaming media isn't the only technology that might mean risky business for PC users. Another Black Hat session showed how easy it can be to hack the tiny radio frequency identification (RFID) chips now used by many businesses and government agencies to track products as they move through distribution channels.

Although the session on RFID "was kind of an academic exercise, it was important in that it showed ways to write tags more securely, as well as how to go about extracting information from them while pointing out the weaknesses in the strength of the RFID security along the way," said Yankee Group Senior analyst Phil Hochmuth.

"One of the more pressing issues is the potential out there for extracting information from the RF chips embedded into the latest U.S. passports," Hochmuth added.