Hollywood flicks hacked

A New Zealand penetration tester found video editing software vulnerabilities that could allow frames to be injected into major Hollywood films.

Security-Assessment.com tester Nick Freeman dissected software used in some of Hollywood's most popular films - from script writing to post-production - find vulnerabilities.

He found that although no single software vendor controls the end-to-end process of film-making, "every part of the process has software that is vulnerable".

Most software fell to vulnerabilities within six hours of installation and only a few test subjects managing to avoid complete failure.

Once a vulnerability was found, Freeman contacted relevant engineers and executives at the companies to notify them of the bug and provide help on fixing the vulnerability. He scored them based on their helpfulness and willingness to help.

But worst of the lot was also one of the biggest.

Nick Freeman ranked non-linear editing software vendor Avid the worst of the bunch in addressing and fixing vulnerabilities.

Avid software was used in several major films including Iron Man 2, Avatar and Star Trek. Freeman was able to compromise a vulnerability in a recent version of its Media Composer suite within an hour of installation.

Freeman discovered a remote listening service in the editing software allowed him to overflow network requests, crashing the software.

While the vulnerability itself was not necessarily important, he said ensuing discussions with the vendor - one of the few tested to have a dedicated security team - proved fruitless.

"It was far too easy to exploit," he said.

"There have been two updates since then but the vulnerabilities are still there. I don't know if they'll ever get around to patching it."

None of Freeman's exploits were available to a remote user but it is believed similar bugs have been used in recent years to gain access to film footage prior to release.

Most were exploitable due to two-decade-old basic programming flaws.

"The vendor's main goal I guess is to have products with extensive functionality and with strict deadlines, and security falls off the road map in the process."