The vulnerability as described by security experts illustrates the classic trade-off between security and functionality. In giving its media player the ability to read scripts and to open Web pages, Microsoft outlines a wide array of potential uses. "Inserting URLs into your digital media files and embedding the Windows Media Player ActiveX control in a Web page results in a powerful, synchronised presentation that is organised and convenient for your audience," reads a Microsoft Web page on the topic. "By using the ActiveX control in a script, you can create a set of framed Web pages. One frame can contain the embedded ActiveX control for playing the audio or video lecture, while another frame displays the synchronised URLs encountered in the digital media stream. The URLs can be links to additional study tools, diagrams, lecture notes, or a quiz available on the Web." Microsoft, long criticised in security circles for prizing new features over security and privacy protections, last month promised to clean up its act and its image with a "Trustworthy Computing" initiative. In addressing the potential media-file vulnerability, Microsoft's Aldridge said the initiative would influence the company's handling of the issue. "We have a renewed commitment at Microsoft to develop trustworthy products," Aldridge said. "This scenario is being included in this process of viewing all functionality through the lens of providing more security and privacy to our users." Online music-sharing network Gnutella was hit by its own worm one year ago, despite assurances from security experts that the music-trading sites were less vulnerable to attack than traditional systems such as email networks. Security experts said the Gnutella outbreak differed fundamentally from the newly described potential problem with regard to script-wielding media files. "This would be an email mass-mailing bomb, something that spreads by mass communications media, as opposed to a file-infecting virus that passes from computer to computer," said Trend Micro's Parry. Don't panic
Other recent media-file security incidents include an anti-file-swapping hack being considered by the Recording Industry Association of America and a hoax that spread false information about an MP3 viral threat. Parry said his company was not scanning media files and would not do so until or unless the problem graduated from a potential threat to a real one. "I refuse to panic when somebody speculates about something like this," Parry said. "There are thousands of known, unexploited potential threats out there. For the time being, this is a theoretical issue, and if it becomes real, go to your antivirus company and there will be something to do after this particular vulnerability shows up." Like Microsoft, RealNetworks advised people concerned about the security threat posed by music files to be wary of their digital music's source. "A lot of people are getting MP3 files from untrusted sources," said Alex Alben, vice president for government affairs at RealNetworks. "They're trading MP3s, getting them from those sites that are operating on P2P (peer-to-peer) file sharing. And I guess there's an element on the Web that's taking advantage of those sources." Microsoft and RealNetworks are collaborating with other companies on separate initiatives to offer digital music on a subscription basis.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
