23

I know that there is already a question related to viruses in videos, but the implication in the other question is that videos in question have been downloaded and played by media software on the target computer. The answer for that question is that yes, viruses can be embedded in videos for this purpose.

But what I am instead referring to are videos viewed through browsers (which are technically media software on target computers, if you want to split hairs). Now obviously we are talking about two distinct types of video: flash and HTML5 (MP4, WebM, Ogg). Are either/both of these vulnerable to this sort of exploitation, and if so, how would it operate? Presumably the browsers are somewhat sandboxed, so we would be talking about the browser specifically being targeted, rather than the computer on which the browser is on?

Stumbler
  • 513
  • 1
  • 4
  • 7
  • 49
    Well they say that some videos go viral ... – Hagen von Eitzen May 02 '16 at 14:22
  • 1
    With [Cross-Site Scripting](http://security.stackexchange.com/questions/1368/can-anybody-explain-xss) (XSS) you could get a virus not from the video itself but from injected code before you play to the video. A nasty XSS vulnerability can make your entire DOM vulnerable so injecting malicious code before a video executes would definitely be in the realm of possibility. –  May 02 '16 at 17:52
  • I was seriously thinking about transferring the genetic sequence of SARS-CoV-2 (a few pages of text). – Volker Siegel Jan 11 '21 at 22:08

3 Answers3

35

but the implication in the other question is that videos in question have been downloaded and played by media software on the target computer.

No it is not. The implication is that there need to be a bug in the code handling the data. For instance the ffmpeg library is used in browsers like Chrome or Firefox and it had several serious bugs in the past. And of course Flash had lots of vulnerabilities too so the problem exists for both HTML5 and Flash based media playing.

Presumably the browsers are somewhat sandboxed...

This is an assumption which is not necessarily true. Some browsers like Chrome or Edge are sandboxed and some like Firefox are not sandboxed (yet). In case of sandboxes it gets much harder to exploit but it is not impossible as regularly shown at Pwn2Own.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • 3
    @MSB: Maybe I'm understanding the question different than you in which case it might be helpful if you actually say which part of the question is still open. What I understand and answered is: [1] is it possible to exploit a browser with a bad video -> yes, for both HTML5 and Flash. [2] Does the browsers sandbox offers better protection than a standalone media player -> better but not full protection and not all browsers even have a sandbox. – Steffen Ullrich May 02 '16 at 13:21
  • 1
    Hmm... correct me if I'm wrong but that exploit patch history is almost exclusively focusing on denial-of-service and overflows. Bit different from infecting a machine with a virus or trojan, surely? – Stumbler May 02 '16 at 13:46
  • 6
    @Stumbler: buffer overflow is often a good vector to execute your own code. What is probably said with "...possibly have unspecified other impact..." is: we don't have an exploit ourselves but somebody else might create one. – Steffen Ullrich May 02 '16 at 14:12
  • 1
    I'm not sure how sandboxed Edge is. Many people I know have stopped using Edge because when playing videos on certain websites it causes a system crash. The error contains `VIDEO_PLAYER` in the identification string. – wizzwizz4 May 02 '16 at 14:41
  • Are you sure Firefox normally uses FFmpeg? I thought they used GStreamer. – Alexander O'Mara May 02 '16 at 16:32
  • @AlexanderO'Mara: It's using ffmpeg by default on Linux since Firefox 43, see [Firefox Bug 1207429 - (ffmpeg) Enable FFMpeg by default](https://bugzilla.mozilla.org/show_bug.cgi?id=1207429). On Windows/Mac I think it is using the libraries offered by the OS. – Steffen Ullrich May 02 '16 at 17:25
  • https://en.wikipedia.org/wiki/Stagefright_(bug) – Neil McGuigan May 02 '16 at 18:37
  • @wizzwizz4 Edge is robustly sandboxed. (Or, more exactly, the parts of Edge that render page elements are well-sandboxed.) As for the error you describe, I haven't encountered anything like it on my machines (whether with production or Insider builds). I wonder if some sort of issue in the OS graphic subsystem in the kernel is being triggered, or perhaps serious graphics driver incompatibilities occurring. In any case, it sounds to me (off the top of my head) like it's probably not an Edge browser issue but more likely a core OS and/or driver issue. – mostlyinformed May 03 '16 at 09:46
  • @halfinformed Most probably an issue with the Metro interface which, unlike most of the rest of Windows, has not had a few decades of beta and release testing. – wizzwizz4 May 03 '16 at 16:51
11

A web browsers video system is just another video player, so the same problems apply which were mentioned in the linked question. The smaller set of supported video codecs greatly reduces the attack surface, but doesn't make bugs in the decoders for these formats inconceivable. The Adobe Flash plugin is renowned for its plethora of security bugs in the past allowing all kinds of nasty exploits. Keep in mind that a flash animation which looks like yet another video player can do much more than just playing videos, and you have no easy way to find out what exactly it does without running it.

While some web browsers try to improve security through sandboxing, such approaches are not necessarily 100% effective. There were known methods to break out of a browser sandbox, and it might be possible to use these methods through vulnerabilities which can be exploited by playing a malicious video file.

Philipp
  • 49,017
  • 8
  • 127
  • 158
-1

Possibly. Not really with new browsers, as they have better security. However a video cannot cause any damage, unless it forced you to have a full hard disk. However pages can. Mostly if you have plug-ins. Scripts can cause malware, and much more.

ummm
  • 1
  • 1
    Video can cause damage, if there is a vulnerability in the code that processes it. The StageFright bug on Android devices is an example. – S.L. Barth May 03 '16 at 11:15