Actually, any file extension that is associated with the vulnerable applications can be used. Even .WAV files can be used to "hijack" users to a web site containing a powerful ActiveX Control. The URL can even include a direct link to an executable, or to a web site that automatically downloads and executes an executable. There is also a privacy aspect to this exploit. Users that play illegal multimedia files, such as .MP3 and MPEGs, can be tracked by web sites that logs their IP Address or even much more personal details. For example, an ActiveX Control embedded on a web site can pull out your e-mail address. This technique is powerful. However, there are many ways to "hijack" users to a web site, and the main issue is: How to protect users from malicious active content in web sites. Finjan has put a .WAV demo to test your vulnerability to this attack. Upon opening this audio file with vulnerable software, a sound will be played and you'll be "hijacked" directly to Finjan Software's ActiveX demo. More details can be found in: http://www.finjan.com/attack_release_detail.cfm?attack_release_id=67 -- Menashe Eliezer Manager, Malicious Code Research Center Finjan Software - Proactive Defense Against Malicious Code Web: http://www.finjan.com/mcrc -----Original Message----- From: Brian McWilliams [mailto:brian@pc-radio.com] Sent: Sunday, February 24, 2002 4:14 AM To: David Korn; bugtraq@securityfocus.com Subject: Re: Windows Media Player executes WMF content in .MP3 files. I've confirmed the report below. Windows Media Player (like RealPlayer) allows content developers to create slide shows or "illustrated audio." That is, you can create a stream in the player's native media format (.asf, .wma. .wmf) that includes embedded URLs, scripts, etc. http://msdn.microsoft.com/library/en-us/dnwmt/html/wmp7_urlflips.asp Turns out that if you feed the WMP a .wma file that has embedded URLs and that has been renamed to end in .mp3, the WMP will happily treat the file like one of its own and launch the URLs in the browser when it encounters them in the stream. Demo here: http://www.pc-radio.com/gimp.mp3 59k (19 second) wma file that has been renamed to mp3. Should launch three separate Web pages during playback with Windows Media Player. Brian
