|
|
Joe St Sauver, Ph.D.
Director, User Services and Network Applications
joe@oregon.uoregon.edu
By now, nearly everyone knows that MP3 files are compressed digital music files.
What you may not know is that MP3s can expose your system to attacks by unethical
website operators or hackers/crackers.
Last February Bugtraq saw reports of MP3 files that could cause malicious web
pages to be opened in the user's browser when an MP3 file was played.
See, for example: http://online.securityfocus.com/archive/1/258122
This exploit was also covered in ZDNet and other online news sources(
http://zdnet.com.com/2100-1104-846051.html )
This vulnerability lies in the ability of MP3 and certain other digital music
file formats to include URLs and web scripting calls. The intent behind these
features was to allow synchronization of content displayed in multiple browser
frames. Unfortunately, this also has the potential for abuse, such as using
a music file to launch an unwanted web page--which may in turn open other unwanted
pages when closed. (See "Dealing with
Pop-Up-Under Web Advertising.".)
Protect yourself. The most important thing you can do is to not trade MP3s. MP3s you get from someone else may contain code of the sort described above (or worse). Another protective measure is to disable Javascript, Java, and ActiveX in your browser. This makes it much harder for a hacker to hijack your browser. Finally, some MP3 players may have patches designed to counter this vulnerability; make sure you've installed all available patches.