, Newsbytes 2002-02-25
A quirk in media players from Microsoft and RealNetworks could enable attackers to hijack Web browsers and run scripts on the computers of some MP3 music fans.
The trick has apparently been discovered by pornography sites and spammers, which have been seeding some music file trading services with bogus MP3 music files.
One such MP3 file, ostensibly containing the music of the Los Angeles-based rock group Lifehouse, launched a pornographic video and generated a "massive" amount of pop-up ads when played back on the Windows Media Player from Microsoft, according to one newsgroup report.
Tests by Newsbytes have shown that both the Windows Media Player and the RealOne Player from RealNetworks are susceptible to the attack, which involves creating a special multimedia file in the players' respective proprietary formats, and then renaming that file so that it has a .MP3 extension.
Representatives of Microsoft and RealNetworks were not immediately available for comment.
Because they cannot contain viruses or other malicious code, files in the MP3 format are generally trusted by Internet users, who freely swap such files with strangers over services such as Morpheus, Grokster and Kazaa.
But security experts today said the popular players' handling of multimedia files could open a new door for "malware" writers.
"With this feature, security holes in Internet Explorer are now exploitable from MP3 files," said Richard M. Smith, an Internet consultant and formerly chief technology officer for the Privacy Foundation.
In fact, the booby-trapped MP3s circulating on file swapping services are not MP3s at all, but instead are camouflaged files in the proprietary formats created by Microsoft and RealNetworks.
In tests by Newsbytes, both companies' media players ignored discrepancies between a file's actual media format and its file name extension.
For example, a special multimedia file created by Newsbytes in Microsoft's proprietary .WMA format played back properly in the Windows Media Player after being renamed with a .MP3 extension. The demonstration launched Web pages in the listener's browser while an audio track played.
Similarly, the RealOne player successfully launched a RealVideo file that had been renamed with a .MP3 extension and vice versa.
According to Thor Larholm, a Danish security researcher, downloaded media files with embedded URLs and scripts are subject to the security features built in to Microsoft's Internet Explorer browser. Since such files are usually treated as local files by IE, they may have additional privileges that allow the files to run hostile ActiveX components and execute commands, he said.
AOL Time Warner's WinAMP media player is not capable of playing such renamed files, nor are any other popular music players that do not support Real's and Microsoft's proprietary formats.
In response to a growing threat from malicious HTML e-mail messages, Microsoft has made similar changes to its Outlook e-mail reader, Smith said.
Microsoft's information on embedding URLs in digital media files is available at http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp .
Real's page on synchronized multimedia is http://service.real.com/help/videoccg/synchmm.html .
A demonstration of the issue is at http://www.pc-radio.com/camouflage.html .
Reported by Newsbytes, http://www.newsbytes.com .