Music – and malware – while you work

A blog from Trusteer’s Dana Tamir points out that media players – so regularly used by people while they work yet often overlooked by security professionals  – are also becoming a prime target for sneaking malware into systems

  • 10 years ago Posted in

OK, hands up all those who like listening to music while they are working? The majority of people seem to like it, and rather than the old ways of everyone listening to a collective radio broadcast or some somnolent musak, a set of headphone and a PC with a media player serves extremely well these days.

But a recent blog by Dana Tamir, director of enterprise security at the IBM-owned security specialist, Trusteer, shows that this apparently harmless – and even productive – pastime is actually fraught with security dangers.

The company’s researches have demonstrated that vulnerable media players are constantly targeted by hackers, and that many security professionals maybe missing this important loophole because media players are most commonly used by individuals, on their own PC and usually in their own time.

But with the growth of BYOD, and the cross-pollination of work and play on and between laptop systems, means that the humble and apparently harmless media player is fast becoming a major route in to hacking and infiltrating corporate networks. Microsoft PCs come with a integral media player, and there are many variants that can be downloaded from the web.

As Tamir pointed out in the blog: “because these applications are not controlled, and users are not in a rush to patch these applications, most installations are vulnerable to exploits.”

She points out that, according to the US National Vulnerabilities Database (NVD), over 1,200 vulnerabilities have been discovered in media players since 2000. Most of them have been found in the most popular programs, with Apple’s Quicktime and  iTunes leading the way, both with over 250 vulnerabilities identified.

The major reason for media players to have become a target is that they are designed to work with files delivered remotely, such as streaming music and video. “By developing weaponized media content, i.e. an audio or video file that contains an exploit that takes advantage of a media player vulnerability, an attacker can effectively deliver malware to the user’s machine,” Tamir wrote in the blog.

“All that is left for the attacker is to send the weaponized file to the target user, or convince a target user to view the content from a compromised website using phishing and social engineering schemes. Typical examples include “promotional videos”, links to “free” song downloads and more.”

And most important of all, she points out that this is no theoretical threat. Exploits have been seen in the wild that target both known and unknown zero-day vulnerabilities in media players. And while many vulnerabilities have patches available, the level of their deployment is still poor , so known vulnerabilities are open to exploitation.

So this is another application area that security professionals need to add to their checklists. As well as recommending a Trusteer product, as might be expected, Tamir also restates the important, if obvious, security best practice: always apply security patches to vulnerable applications as soon as they become available.

But she also recommends investing in technologies that can block both known and unknown vulnerabilities, such as Trusteer Apex.

Talent and training partner, mthree, which supports major global tech, banking, and business...
On average, only 48% of digital initiatives meet or exceed business outcome targets, according to...
GPUaaS provides customers on-demand access to powerful accelerated resources for AI, machine...
TMF Group, a leading provider of critical administrative services for global businesses, turned to...
Strengthening its cloud credentials as part of its mission to champion the broader UK tech sector...
Nearly all UK IT managers surveyed (98%) state cloud investment is an organisational priority for...
LetsGetChecked is a global healthcare solutions company that provides the tools to manage health...
Node4 to the rescue.