RE: Streaming Media

[LordInfidel <LordInfidel () Directionweb com>]

As with any application, there will always be some sort of risk.

There are exploits out there against media players (real and wmp).
But it is against the player themselves, not the protocol.

This would be similar to an IE or Outlook exploit.  Just allowing
web traffic thru does not automatically make you vulnerable to
attacks.  (excluding the source port 80 attack scenarios that stateful
firewalls should be dropping anyways).

But if a end user was enticed to go to a malicious website, they 
would then be vulnerable to attack.

Same goes for streaming media services.  If the end user
goes to a malicious site and tries to stream a malicious
file.  Then yes, they would be vulnerable.

There are risks however of allowing UDP packets thru.  But
the big 3 (real, wmp and QuickTime) can all stream over
http 80.  You just need to configure the players as such.

<in their default state, all protocols are selected and the
players will try each one until they make a connection. so streaming
media may already be taking place without you knowing about it>

UDP is more flexible and fast when it comes to streaming.
However, as long as the stream server is set up for http streaming,
which most major vendors are.  Then you should not have a problem, but
rebuffering is more common over tcp then it is over udp.

When your users complain about rebuffering it is not necessarily
the stream server as much as the chosen protocol the stream is being
delivered over.

If you are going to allow streaming thru, you can do it one of 2
ways.  Either configure the end users players to use HTTP only.
Or make sure that your firewall rules are configured correctly.

LordInfidel

-----Original Message-----
From: Simple Simon [mailto:simplesimon042 () hotmail com]
Sent: Wednesday, October 01, 2003 6:54 AM
To: security-basics () securityfocus com
Subject: Streaming Media


Hi List!

I am looking desperately for information on security risks at the usage of 
streaming media. Do you have any recommodation??

Thanks,
Simon

_________________________________________________________________
Frustrated with dial-up? Get high-speed for as low as $29.95/month 
(depending on the local service providers in your area).  
https://broadband.msn.com


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------