On MovieTome: Pixar's new film has characters from Up
BNET Business Network:
BNET
TechRepublic
ZDNet

November 7th, 2008

'Highly critical' vulnerabilities in VLC media player

Posted by Ryan Naraine @ 7:06 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Linux, Malware, Open source, Patch Watch, Responsible disclosure, Vulnerability research

Tags: Vulnerability, Buffer-overflow, Media Player, Media Players, Security, Digital Music, Digital Media, Viruses And Worms, Consumer Electronics, Personal Technology

Critical vulnerabilities in VLC media playerA pair of “highly critical” vulnerabilities in the cross-platform VLC Media Player could put millions of users at risk of remote code execution attacks, according to a warning from security researchers.

The issues, reported in versions 0.5.0 through 0.9.5, could let hackers take complete control of compromised machines through rigged media files. VideoLAN, the open-source group that manages the VLC project, has released patches and strongly recommends that users upgrade to VLC media player 0.9.6.

Technical details:

  • An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file.
  • An error in the RealText demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted RealText subtitle file.

Exploitation of this issue requires the user to explicitly open a specially crafted file.  As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 10 Talkback(s)
Nah -- Mike Cox is #1
Oh, you think he's funny? (Read the rest)
Posted by: PMC-CON Posted on: 11/10/08 You are currently: a Guest | | Terms of Use
'Highly critical' vulnerabilities in VLC media player  Loverock Davidson | 11/07/08
Guess you'll have to switch to Linux (nt)  Michael Kelly | 11/07/08
Bwahahaha  Loverock Davidson | 11/07/08
You could always  Kaiwai | 11/08/08
RE: Guess you'll have to switch to Linux (nt)  richdave | 11/10/08
Nah -- Mike Cox is #1  PMC-CON | 11/10/08
RE: 'Highly critical' vulnerabilities in VLC media player  maferious | 11/07/08
RE: 'Highly critical' vulnerabilities in VLC media player  maferious | 11/07/08
Patch but Also Contain  eiverson@... | 11/09/08
RE: 'Highly critical' vulnerabilities in VLC media player  neohuo | 11/09/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

  • Smart Tech Expert advice on innovations in healthcare and the green technologies that make it happen. Find out more
  • Smart Business Discussion and advice on management issues that revolve around making your world smarter and more useful. More Smart Advice
  • Smart People The best and worst moves in the management and strategy trenches. Learn More