There’s some discussion recently about whether video sprites in animations can be a security problem. This is outside of any of my usual areas of expertise. So far as I know, a video sprite is recorded image frames that are strung together by a program to follow a path such as an ellipse, or even to perform character actions. Think of video game characters, although the images used can also be of live animals, or basically whatever you like.

So you end up with a movie that has elements generated this way; so what? Well, in QuickTime,

A sprite can also modify its behavior with the passage of time, either “movie” time (the duration in which the movie plays) or in real time. In fact, a sprite can continue to act even after the movie it is in is paused or stopped.
— QuickTime Interactivity Gives Your Movies the Smarts.

OK, a sprite isn’t just a movie; it’s a program, implemented by the movie player. Still, so what?

Well, a sprite may also access the Internet:

Access with Java

The QuickTime API is fully accessible through Java. With Java, you can write your own QuickTime-compatible applications, or run Java applets from QuickTime over the web inside a browser.

Java is constrained as to what addresses it can access, but a Java applet can at least contact the address it came from. So if a QuickTime movie can run a Java applet, it would seem the movie can call home, which at the least would report the IP address of the computer running the movie.

Link to URLs

HREF tracks can make the movie’s display area into a clickable link that points to different URLs at different times during playback.

And that would seem to mean there’s no constraint on what URLs a movie could access. If the links have to be clicked to access the URLs, it’s maybe not so much of a problem. (Although the same argument could be applied to phishing messages, which are nonetheless a problem.) If the links can be accessed by the movie without clicking, then a movie can do all sorts of things through the Internet without its user knowing about it.

In one sense, this is no different from web bugs, those 1×1 pixel images buried in web pages that link back to some URL to report what addresses have accessed the web page. But if video sprites can program such accesses, the information reported back could be much more flexible. Especially on a Windows machine, a sprite might be able to access various information on the local disk and report it back.

One can run a firewall that blocks unexpected outgoing connections from ones own machine, but few people do that, and its safe to say that unless Windows comes configured out of the box to do that, that most people won’t do that.

I’m using QuickTime as an example here, because it’s easy to find documentation on sprites in QuickTime. Other animation methods may also be able to do these things. For example, it appears that Flash also has sprites, and that you can even run overlapping Flash and QuickTime sprites.

Like I said, this is outside any of my usual areas of expertise. I hope I’m wrong about my conclusions. Am I?

-jsq