VLC Player Falls Prey to Critical Flaw
It would seem that multimedia playing software programs are always among the most popular sources of high-level security risks, and this time it's the lesser-known but well thought-of VLC music and video system that has turned up on the vulnerability scrolls. Secunia researchers have issued a "highly critical" warning for the free VLC player, affecting versions 0.8.6h and earlier for the Microsoft Windows platform. Popular among many multimedia pros for its interface and ease of use, the open source VLC player is used for just about any type of application, including most audio and video formats, including DVDs, VCDs, and Web-based streaming protocols. According to Secunia researchers, who have taken credit for discovering the vulnerability, the issue could be used to compromise user systems, specifically via the use of infected .WAV files. The company said that the vulnerability is caused due to an integer overflow error within the "Open()" function in the program's modules/demux/wav.c code. "This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk," the research firm reported. Successful exploitation may allow execution of arbitrary code. Secunia reported that VLC's producers have been notified of the issue and plan to release an updated version of the application, but no exact date for that distribution of the software has been issued as of yet. According to VLC's Web site, the player and its sister media server software have been downloaded close to 90 million times.
|
