Windows Media Player plays Oggs via DirectShow filters, which are an independent
implementation of the Vorbis specification. Also of note is the way Windows Media Player is treated under
Windows Vista. While in older versions of Windows, both Internet Explorer and Windows Media Player
run with the same level of priority. Windows Vista has been changed to run Internet Explorer under a fairly
restricted level of privilege, to help mitigate browser attacks. However, when media files are viewed within
IE, WMP is spawned at the user’s default “medium” privilege level. For this reason, it seems likely that
attackers might do well to shift their focus away from exploiting the browser itself to exploitation of external
handlers like WMP.

FLAC utilizes Vorbis comments for media metadata, and uses an internal checksum, often compared to an
external MD5 fingerprint file. It can also be stored inside an Ogg container.

Asterisk VOIP PBX can be configured to use Speex or Ogg Vorbis as codecs.
Any DoS or code execution in these codecs potentially means a larger one in the PBX itself. If a vulnerability
is found in one of these codecs, an malicious payload can be injected into an in-progress communication using
a tool like RTPInject.

Search software like Beagle or other programs that index metadata via third-party libraries make themselves
vulnerable to exploits in those libraries as well. This would also mean that simple possession of a malicious
file would be enough to trigger these problems, rather than actual playback. Furthermore, media metadata
could be a venue to exploit the product itself rather than the parsing libraries— it’s worth noting that Beagle
has a web interface.

Media is not often considered a security-sensitive area; however, the ubiquity and complexity of media codecs
makes them especially sensitive to security bugs, some of them obscure and difficult to detect via source
review, static analysis or simple fuzzing. Existing tools don’t expose these bugs well, because they’re not
targeted to the stream formats involved.
Because of the vast amounts of untrusted data media software now consumes, it needs to become standard
practice for vendors and programmers of media codecs, players and related software to write their own fuzzers
for their products, to turn up these issues as part of the development process. Hopefully the information
and tools presented here will help to initiate this process.