New Security Holes Put PC Users at Risk
The media streaming security issues highlighted at the
Black Hat conference point to the need for media player vendors to keep up to
date on their patches, said Gartner's Paul Proctor. "If you can find a
vulnerability in a codec -- one that can pass executable code through to the
media player -- then anybody can insert that into a Web site."
The next wave of hacker attacks seeking to exploit unaware PC users might come
from an unexpected source: streaming media files.
During his presentation at the Black Hat conference in Las Vegas last week,
iSEC security researcher David Thiel noted that when Web surfers go to a video
content site such as MySpace or YouTube, there is no way to get the multimedia
content to shut off. This lack of control represents a method that hackers could
potentially exploit to install malicious software on PCs without the computer
"Thiel has been playing around with vulnerabilities that exist in the codecs
for media players," explained Gartner research vice president Paul Proctor. "If
you can find a vulnerability in a codec -- one that can pass executable code
through to the media player -- then anybody can insert that into a Web site."
"The bad guys seem to gravitate around the porn sites, which already are all
about streaming video and sound, so they are a likely place for somebody getting
attacked because the criminals are already there," Proctor said. "It points to
the need for the media player vendors out there to keep up to date on their
Turning off the various types of media may be another option, Proctor added,
but that would "change your Web experience quite a bit."
Streaming media isn't the only technology that might mean risky business for PC users. Another Black Hat
session showed how easy it can be to hack the tiny radio frequency
identification (RFID) chips now used by many businesses and government agencies
to track products as they move through distribution channels.
Although the session on RFID "was kind of an academic exercise, it was
important in that it showed ways to write tags more securely, as well as how to
go about extracting information from them while pointing out the weaknesses in
the strength of the RFID security along the way," said Yankee Group Senior
analyst Phil Hochmuth.
"One of the more pressing issues is the potential out there for extracting
information from the RF chips embedded into the latest U.S. passports," Hochmuth
Read full article at NewsFactor.com