Hollywood flicks hacked

Powered by SC Magazine
 

But holes aren't remote exploitable.

A New Zealand penetration tester found video editing software vulnerabilities that could allow frames to be injected into major Hollywood films.

Security-Assessment.com tester Nick Freeman dissected software used in some of Hollywood's most popular films - from script writing to post-production - find vulnerabilities.

He found that although no single software vendor controls the end-to-end process of film-making, "every part of the process has software that is vulnerable".

Most software fell to vulnerabilities within six hours of installation and only a few test subjects managing to avoid complete failure.

Once a vulnerability was found, Freeman contacted relevant engineers and executives at the companies to notify them of the bug and provide help on fixing the vulnerability. He scored them based on their helpfulness and willingness to help.

But worst of the lot was also one of the biggest.

Nick Freeman ranked non-linear editing software vendor Avid the worst of the bunch in addressing and fixing vulnerabilities.

Avid software was used in several major films including Iron Man 2, Avatar and Star Trek. Freeman was able to compromise a vulnerability in a recent version of its Media Composer suite within an hour of installation.

Freeman discovered a remote listening service in the editing software allowed him to overflow network requests, crashing the software.

While the vulnerability itself was not necessarily important, he said ensuing discussions with the vendor - one of the few tested to have a dedicated security team - proved fruitless.

"It was far too easy to exploit," he said.

"There have been two updates since then but the vulnerabilities are still there. I don't know if they'll ever get around to patching it."

None of Freeman's exploits were available to a remote user but it is believed similar bugs have been used in recent years to gain access to film footage prior to release.

Most were exploitable due to two-decade-old basic programming flaws.

"The vendor's main goal I guess is to have products with extensive functionality and with strict deadlines, and security falls off the road map in the process."

Copyright © iTnews.com.au . All rights reserved.


Hollywood flicks hacked
 
 
 
Top Stories
Earning the right to innovate
Breaking down the barriers to innovation is a long, but rewarding process, says Bank of Queensland Group CIO, Julie Bale.
 
A call for timely reporting
[Blog post] Businesses need incentives to keep customer data secure.
 
Doubts cast on Queensland's ICT Dashboard
Opposition, former Govt CIO say it can't be trusted.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  26%
 
Application integration concerns
  3%
 
Security and compliance concerns
  29%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  5%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 857

Vote