Hollywood flicks hacked

Powered by SC Magazine
 

But holes aren't remote exploitable.

A New Zealand penetration tester found video editing software vulnerabilities that could allow frames to be injected into major Hollywood films.

Security-Assessment.com tester Nick Freeman dissected software used in some of Hollywood's most popular films - from script writing to post-production - find vulnerabilities.

He found that although no single software vendor controls the end-to-end process of film-making, "every part of the process has software that is vulnerable".

Most software fell to vulnerabilities within six hours of installation and only a few test subjects managing to avoid complete failure.

Once a vulnerability was found, Freeman contacted relevant engineers and executives at the companies to notify them of the bug and provide help on fixing the vulnerability. He scored them based on their helpfulness and willingness to help.

But worst of the lot was also one of the biggest.

Nick Freeman ranked non-linear editing software vendor Avid the worst of the bunch in addressing and fixing vulnerabilities.

Avid software was used in several major films including Iron Man 2, Avatar and Star Trek. Freeman was able to compromise a vulnerability in a recent version of its Media Composer suite within an hour of installation.

Freeman discovered a remote listening service in the editing software allowed him to overflow network requests, crashing the software.

While the vulnerability itself was not necessarily important, he said ensuing discussions with the vendor - one of the few tested to have a dedicated security team - proved fruitless.

"It was far too easy to exploit," he said.

"There have been two updates since then but the vulnerabilities are still there. I don't know if they'll ever get around to patching it."

None of Freeman's exploits were available to a remote user but it is believed similar bugs have been used in recent years to gain access to film footage prior to release.

Most were exploitable due to two-decade-old basic programming flaws.

"The vendor's main goal I guess is to have products with extensive functionality and with strict deadlines, and security falls off the road map in the process."

Copyright © iTnews.com.au . All rights reserved.


Hollywood flicks hacked
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1124

Vote