URLANDEXIT

Publicated on : 1215650045
Just influencing the Google results for URLANDEXIT.



You might ask why. Well, there seems to be a total of 170 Google results on that keyword and only about 10 of them slightly mention only it's feature not it's danger. The bulk of the results are Spyware logs. Go figure. This is the problem with the security industry, they forget too much. I knew back in 2003 that Windows media files could execute code in an ASF stream, but more importantly open up webpages instead of showing media content. Microsoft knew this also back in 2003[1], and patched Windows to disallow movies to execute code in an ASF stream but still allowed the movies to execute or redirect to malware without the surfers consent c.q. notification that malware is being loaded instead of music or a video stream.



Attackers know more than most people in the security industry until they read that something is being exploited that is fairly new to them. And that is certainly alarming, because how many of those people in the security industry do research themselves? and what about vendors who design such features? Well, I am pretty certain that probably only a handful of my readers working in the security industry or for large software vendors knew about this and maybe a few that also know that this is being exploited as we speak, and maybe very few who actually knew that this is possible since at least early 2003. Right now media files are being spread which contains auto redirects to malware. I am actually amazed that it took so long for attackers to exploit it, and for the security industry to pick up on it. So here I go:



It's problem lies in the the following features:

- PlayerScriptCommandsEnabled: - disabled as default (since 2003)
 

- WebScriptCommandsEnabled: - default is 1 (enabled)
 

- URLAndExitCommandsEnabled: - default is 1 (enabled)

Well, at least I thought that you should be informed about this. Many files out there that can play in Media Player are not safe. Also some media files are also padded with nulls to fake a convincing filesize. Here is one (modified) example that I posted in the forums. Which in terms is even more interestingly because no-one picked this up, besides a few of my fellow dedicated forum readers:

WMF SDK Version 11.0.5721.5145 WMF SDK Needed0.00000Is VBR ASFLeakyBucketPairs
 

URLANDEXIT1http://www.fastmp3player.com/affiliates/772465/1/

[0] http://www.google.com/search?q=URLANDEXIT

[1] http://support.microsoft.com/kb/828026/en