VideoLAN uncovers vulnerability in consumer video player

To exploit the vulnerability, a user must “explicitly open a specially crafted advanced systems format (ASF) movie." Then, an attacker could cause a buffer overflow to occur when attempting to parse a specially crafted movie, security researcher Debasish Mandal reported.

VideoLAN said that if successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player's process. The arbitrary code vulnerability, however, “is not confirmed.”

VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols. The vulnerability, exists in the ASF demuxer of VLC media player versions 2.0.5 and earlier.

Users should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Alternatively, the ASF demuxer can be removed manually from the VLC plugin installation directory. This will prevent ASF movie playback though.

VideoLAN said that the issue can be addressed in the VLC media player 2.0.x source code repository by replacing a macro with a static inline and improved bounds checking, and that the patch also is included in VLC's future 2.0.6 release.

What’s Hot on Infosecurity Magazine?