Vulnerability Research - VLC Player Falls Prey to Critical Flaw - eWeek Security Watch
Security Watch
SHARE
Facebook X Pinterest WhatsApp

VLC Player Falls Prey to Critical Flaw

Written By
Matthew Hines
Matthew Hines
Jul 7, 2008
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

It would seem that multimedia playing software programs are always among the most popular sources of high-level security risks, and this time it’s the lesser-known but well thought-of VLC music and video system that has turned up on the vulnerability scrolls.

Secunia researchers have issued a “highly critical” warning for the free VLC player, affecting versions 0.8.6h and earlier for the Microsoft Windows platform. Popular among many multimedia pros for its interface and ease of use, the open source VLC player is used for just about any type of application, including most audio and video formats, including DVDs, VCDs, and Web-based streaming protocols.

According to Secunia researchers, who have taken credit for discovering the vulnerability, the issue could be used to compromise user systems, specifically via the use of infected .WAV files.

The company said that the vulnerability is caused due to an integer overflow error within the “Open()” function in the program’s modules/demux/wav.c code.

“This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large “fmt” chunk,” the research firm reported. Successful exploitation may allow execution of arbitrary code.

Secunia reported that VLC’s producers have been notified of the issue and plan to release an updated version of the application, but no exact date for that distribution of the software has been issued as of yet.

According to VLC’s Web site, the player and its sister media server software have been downloaded close to 90 million times.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
Matthew Hines
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information