Highly Critical Vulnerabilities In VLC Media Player
Two “highly critical” vulnerabilities in the cross-platform VLC Media Player could put users at risk of remote code execution attacks, according to a warning from security researchers. An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file. In second vulnerability, an error in the RealText demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted RealText subtitle file.
The issues, reported in versions 0.5.0 through 0.9.5, could let hackers take complete control of compromised machines through rigged media files. VideoLAN, the open-source group that manages the VLC project, has released patches and strongly recommends that users upgrade to VLC media player 0.9.6.
Exploitation of this issue requires the user to explicitly open a specially crafted file. As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.
For details and updates visit VideoLAN website.
More on CyberInsecure:
November 9th, 2008 at 9:22 pm
Thanks for the alert, VLC is one of the favourite players since MS WMP 9/10/11 sucks.