Media player users beware: more vulns ahead

Security researchers are warning that popular media players offered by Microsoft and AOL are vulnerable to attacks that can completely compromise a user's PC. Attack code has already been released for the bug, which has been confirmed in a codec used by older versions of Windows Media Player, made by Microsoft, and in AOL's Winamp. A Symantec researcher has warned that users of other players may also be at risk because the vulnerability itself resides in a commonly used MP4 codec produced by a company called 3ivx Technologies.

"The exploit works by supplying victims with a maliciously formed MP4 file," Raymond Ball wrote for Symantec's DeepSight Threat Management System. "When a victim unknowingly clicks a link that appears safe, the MP4 content is delivered, causing the exploit to run."

View: The full story @ The Reg

Report a problem with article
Previous Story

Norton AntiVirus 11 for Leopard Announced

Next Story

IBM and EMC square off on virtualization


Commenting is disabled on this article.

Note how the vulnerability is in the codec, not in the media players themselves. These type of vulnerabilities are especially bad when you consider how widely used the codecs are outside the media players, e.g. by the Windows thumbnail extractor. Simply viewing a thumbnail of a malicious video in Explorer (or in the File Open dialog box of any app) could cause the exploit code to run.

I *believe* that Vista runs all thumbnail extraction in a separate process that runs with lower privileges, which would help to mitigate the damage the exploit code would do.

This is a good example of why it is good to be cautious when installing "codec packs" from the Internet.

That is the stupidest short-form I've ever heard. Is it cool nowadays to shorten things in the computer world?
"I bought a new flat mon yesterday for my comp, it can use lots of progs, dood!"

here come more vulns down the road...
i hope this stops or normal users will develop a high sense of paranoia when going online.