Web tunes sound a security alarm
More precisely, you could get a worm along with a song played on a number of popular Internet media players, including Microsoft's Windows Media Player or RealNetworks' RealPlayer. That's because the players provide the ability to embed Web addresses and scripts--key ingredients in self-propagating, hostile code.
"What we're looking at here is the fact that you can have mobile code now inside of a music file," said Richard Smith, a security consultant in Brookline, Mass. "So you start getting into security problems like macro (viruses) in (Microsoft) Word documents, or ActiveX or JavaScript problems in HTML files. Once you get code inside of a data file, you start having problems."
An exploit using music files would rely on a Web browser with a known vulnerability. But reports of the potential problem have raised old concerns about the ability of malicious file-swappers to "poison the pool" of files traded on networks such as Gnutella, MusicCity/Morpheus, Kazaa and other services that have sprung up in Napster's wake.
The potential problem gained attention this week after a discussion on the Bugtraq security mailing list. The thread described a music file that, once opened, began spawning pop-up windows advertising a pornographic Web site.
In addition to their prurient content, the pop-up windows displayed a potent and potentially hazardous capability of media files to embed scripts, security experts said.
One antivirus company, Trend Micro, said it had already identified the problem, though it remained back-burnered as a theoretical threat.
"We are already looking at it," said David Parry, Trend Micro's chief information officer. "It's in the hopper for research."
Microsoft and RealNetworks said they were also looking into the problem.
"What you're seeing is...an example of the misuse of a legitimate feature," said Michael Aldridge, lead product manager for the Windows Digital Media Division. "We're investigating this issue with our development teams to see what issues we can address. One thing that users can do to protect themselves is avoid downloading files from unknown sources."
RealNetworks said it, too, was investigating the issue, but that the problem appears to be a general one for all music files and stems from vulnerabilities in Web browsers, not music players.
"The ability to embed JavaScript exists with any URL and is something you can embed in an MP3 file," said Bob Kimball, vice president of legal and business affairs. "Our player doesn't have any independent ability to render JavaScript; we hand that to the browser, which handles JavaScript according to whatever security precautions the user has set up."
Security vs. functionality
The vulnerability as described by security experts illustrates the classic trade-off between security and functionality. In giving its media player the ability to read scripts and to open Web pages, Microsoft outlines a wide array of potential uses.
"Inserting URLs into your digital media files and embedding the Windows Media Player ActiveX control in a Web page results in a powerful, synchronized presentation that is organized and convenient for your audience," reads a Microsoft Web page on the topic. "By using the ActiveX control in a script, you can create a set of framed Web pages. One frame can contain the embedded ActiveX control for playing the audio or video lecture, while another frame displays the synchronized URLs encountered in the digital media stream. The URLs can be links to additional study tools, diagrams, lecture notes, or a quiz available on the Web."
Microsoft, long criticized in security circles for prizing new features over security and privacy protections, last month promised to clean up its act and its image with a "Trustworthy Computing" initiative.
In addressing the potential media-file vulnerability, Microsoft's Aldridge said the initiative would influence the company's handling of the issue.
"We have a renewed commitment at Microsoft to develop trustworthy products," Aldridge said. "This scenario is being included in this process of viewing all functionality through the lens of providing more security and privacy to our users."
Online music-sharing network Gnutella was hit by its own worm one year ago, despite assurances from security experts that the music-trading sites were less vulnerable to attack than traditional systems such as e-mail networks.
Security experts said the Gnutella outbreak differed fundamentally from the newly described potential problem with regard to script-wielding media files.
"This would be an e-mail mass-mailing bomb, something that spreads by mass communications media, as opposed to a file-infecting virus that passes from computer to computer," said Trend Micro's Parry.
Don't panic
Other recent media-file security incidents include an anti-file-swapping
hack being considered by the Recording Industry Association of America and a hoax that spread false information about an MP3 viral threat.
Parry said his company was not scanning media files and would not do so until or unless the problem graduated from a potential threat to a real one.
"I refuse to panic when somebody speculates about something like this," Parry said. "There are thousands of known, unexploited potential threats out there. For the time being, this is a theoretical issue, and if it becomes real, go to your antivirus company and there will be something to do after this particular vulnerability shows up."
Like Microsoft, RealNetworks advised people concerned about the security threat posed by music files to be wary of their digital music's source.
"A lot of people are getting MP3 files from untrusted sources," said Alex Alben, vice president for government affairs at RealNetworks. "They're trading MP3s, getting them from those sites that are operating on P2P (peer-to-peer) file sharing. And I guess there's an element on the Web that's taking advantage of those sources."
Microsoft and RealNetworks are collaborating with other companies on separate initiatives to offer digital music on a subscription basis.