re: Music Files - New Codec injection attacks add danger for Multi-media files

Chris Quirke — Mon, 01 Sep 2008 02:14:02 GMT

Better file type discipline would help, too - IOW, files named as .MP3 should not be "opened" as .WMA or .ASF if that is what the (hidden) internal type info claims them to be. A file that spoofs the UI type info is suspect, and should be treated as such!

Behind this, is .ASF itself - looks like the same old "by design" stupidity that allows files that are expected to be low-risk "data" to act as autorunning code.

As to "trsuted sources" - these days, one sedom navigates by unique address, and these unique addresses are themselves spoofable at the DNS backbone level.

re: Music Files - New Codec injection attacks add danger for Multi-media files

Alun Jones — Wed, 16 Jul 2008 14:59:34 GMT

Asking people to get their media files from trusted sources is one solution - another is to ask people to get their _codecs_ from trusted sources, too.

Obviously, it's a little difficult to say _what_ is a trusted source for either media or codec, but there are likely to be fewer codec sources to vet than there are media sources, you generally won't get into trouble for downloading a codec (unless it's proprietary).

Lesson: don't ever install a codec that came with the media, and where possible, disable any ability your player has to automatically fetch a codec from the media's declared source. Only fetch codecs from the media player's trusted source, or failing that, a trusted third party - but never from where the media tells you to go.