VLC Player Falls Prey to Critical Flaw
It would seem that multimedia playing software programs are always among the most popular sources of high-level security risks, and this time it's the lesser-known but well thought-of VLC music and video system that has turned up on the vulnerability scrolls.
Secunia researchers have issued a "highly critical" warning for the free VLC player, affecting versions 0.8.6h and earlier for the Microsoft Windows platform. Popular among many multimedia pros for its interface and ease of use, the open source VLC player is used for just about any type of application, including most audio and video formats, including DVDs, VCDs, and Web-based streaming protocols.
According to Secunia researchers, who have taken credit for discovering the vulnerability, the issue could be used to compromise user systems, specifically via the use of infected .WAV files.
The company said that the vulnerability is caused due to an integer overflow error within the "Open()" function in the program's modules/demux/wav.c code.
"This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk," the research firm reported. Successful exploitation may allow execution of arbitrary code.
Secunia reported that VLC's producers have been notified of the issue and plan to release an updated version of the application, but no exact date for that distribution of the software has been issued as of yet.
According to VLC's Web site, the player and its sister media server software have been downloaded close to 90 million times.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.