About Me

David Rayhawk

David Rayhawk

Read More

Feeds & Podcasts

Blogs

Meet the Bloggers

Archive

Tags

#SecChat $1 million guarantee 12 Scams of Christmas access to live fraud resolution agents Acquisition Alex Thurber Android antivirus Apple botnet Channel Partners cloud security Compliance Consumer counter identity theft credit card fraud and protection credit fraud alerts credit monitoring credit monitoring and resolution critical infrastructure Cyber Security Mom cyberbullying Cybercrime cybermom data breach data center data center security Data Protection Dave DeWalt DLP Email & Web Security embedded encryption Endpoint Protection enterprise facebook fake anti-virus software Family Safety Friday Security Highlights global threat intelligence google government Hacktivism how to talk to kids how to talk to teens identity fraud identity fraud scams identity protection identity protection $1 million guarantee identity protection fraud identity protection surveillance identity surveillance identity theft identity theft expert identity theft fraud identity theft protection identity theft protection product Identity thieves and cybercriminals intel iphone kids online behavior lost wallet protection malware McAfee McAfee Channel McAfee Family Protection McAfee Identity Protection McAfee Initiative to Fight Cybercrime McAfee Labs McAfee security products Mid-Market Mobile mobile malware mobile security monitor credit and personal information Network Security online personal data protection online safety Operation Aurora PCI personal identity theft fraud personal information loss personal information protection phishing privacy proactive identity protection proactive identity surveillance Public Sector restore credit and personal identity Risk and Compliance scam scams scareware security smartphones social media social networking social networks spam Stuxnet twitter vulnerability Web 2.0 work with victim restore identity

McAfee Labs :

Don’t Touch My Wii!

Friday, April 20, 2007 at 1:49pm by David Rayhawk
David Rayhawk

Here’s an interesting development. Hackers have been working on exploiting the Nintendo Wii. As a popular tech-item, it is safe to assume this–but it looks like one has achieved a modicum of success.

First, don’t worry–your Wii is not in grave danger, so you can relax and read on . . . .

A few months ago, a vulnerability in the Opera browser was disclosed (and promptly patched by Opera). Check here for their knowledge-base article. Well, it turns out that Opera is the Internet browser for the Wii (aka “Internet Channel”)–and, it turns out that the original (“trial”) version posted to the store is pre-patch.

So folks that have downloaded the original Internet Channel for the Wii have this vulnerability. You can see a demonstration of it here:

Go to a web page that has the specially crafted JPEG image in it and Opera will crash. That means it’s theoretically possible to run malcode–and according to the hacker conversations they are trying hard to do exactly that.

Hackers are going to be out of luck though, the patched version of Opera (9.10) was released to the store on 12 April. So time is rapidly running out on pulling off an exploit for this one.

The Internet Channel on the Wii has to be update manually. So Wii users, if you downloaded the Internet Channel, you need to update it.

Still, this serves as a good reminder the any system, closed or otherwise, is vulnerable to malcode.

But the story goes on: Opera is quite popular on mobile handsets, so we tried it out on several handsets with potentially vulnerable versions of Opera installed. In our brief testing, we had two cases where the image successfully crashed the browser (one Symbian8/s60 and one Symbian9/UIQ).

So there is the potential for concern–especially since a someone was kind enough to post the directions for generating the specially crafted images. Now anyone can crash the un-patched browser. Remember, a crash is an opportunity to compromise a system–hard to do, but it does happen.

Now, if only Accounting will approve the lab’s requisition for a Wii for ongoing research purposes. We should probably get a PS3 also, just in case . . . . ;-)

Bookmark and Share

Submit your own comments / message for this post

Your email is never published nor shared. Required fields are marked *

 

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Comments (2)

  • Team QJ April 22, 2007 9:32PM

    Thanks for the information. We spread the word on the exploit. Hopefully many will pick up the news and update soon enough. It’s interesting how the kinks in the Opera code are inherited for every platform. Oh, and Wii is a very good tool for…err…research.

    Reply
  • Daniel Wolff April 21, 2007 5:00AM

    Personally I think that a Wii for each lab (rather than just the US!) – and indeed a PS3 as well! should be considered essential equipment! (although you may need a product to sell for the Wii too rather than just identifying malware on servers hosting it!)

    Dan Wolff

    Reply