Hack Possible on Flawed VLC Media Player
TorrentFreak, a torrent-watching Website, has reported a serious flaw in the well-known media player, VideoLan, also called the VCL Player for Mac and Windows, as reported by Download on March 18, 2008.
According to TorrentFreak, the security hole can be exploited to execute arbitrary code by potentially controlling the host system from a distance.
However, it is not known if the bug influences the player's portable version or if an announcement has been made regarding a patch or an upgrade for the product.
The problem appears when any subtitle file is loaded that leads to a stack buffer overflow capable of being exploited. At the time of handling subtitles, exploitation of boundary faults in the 'ParseVplayer ()', 'ParseMicroDvd ()' and 'ParseSSA ()' can cause buffer overflows of stack-based type. The reported flaw is independent of the platform used indicating it can affect users of Mac, Linux and Windows.
When video files project a link pointing to a different subtitle file that VLC loads by default at the time of running the video, a malicious user could exploit the stack buffer overflow error in that VLC. He could then run malicious software present in the subtitle file thus enabling him to fiddle with the vulnerable computer. The flaw influence VLC players being run on Mac, Windows, BSD and probably other Operating systems.
At first, it was thought that the vulnerabilities in version 0.8.6d were corrected via the latest upgrade but later it turned out to be untrue. Security Advisor, Luigi Auriemma at TorrentFreak, said that the VLC-handled buffer overflow has not been completely patched in the newer version 0.8.6e, as reported by TorrentFreak on March 18, 2008.
Auriemma added that surprisingly his old proof-of-concept developed only to test the particular buffer overflow in fact worked perfectly on the latest VLC version as well without requiring any modifications.
For now, it is safe not to run a subtitle file. The drawback, however, is that the solution might not work out as properly as the normal releases. Security researchers have thus suggested workers on the Internet to upgrade their software for security at timely intervals.
Related article: Hack.Huigezi Virus Attacks China PCs Rapidly
» SPAMfighter News - 26-03-2008