Critical Flaw Fixed in VLC Media Player
The VideoLAN project has launched the version 1.1.3 of its popular VLC Media Player program, which contains a space for dangerous arbitrary code execution flaw.
VLC is a cross-platform multimedia player competent of playing almost every media formats, even without the requirement of extra codecs. It is an open source program and circulated under the GNU General Public License.
The flaw addressed in version 1.1.3 is known as CVE-2010-2937 and was found by Fortinet's FortiGuard Labs security researchers. It arises from an inadequate input validation in the program's TagLib plug-in, which is employed to break down ID3v2 tags encompassing meta-information about the media files.
To exploit this vulnerability an attacker could scam a user into playing a file with an especially designed ID3v2 tag, which would activate a memory corruption flaw.
In addition, the flaw could be used by an attacker to execute arbitrary code or crash the application by scamming user into opening a malware-filled media file, as reported by an advisory from Vupen Security.
Commenting on the flaw, security experts said that the constituents for such abuse would first encourage the victim to download a corrupt media file, e.g. a video file or a MP3 file, and then encouraged it to either execute it or add to their playlists. Hence opening files from unreliable and unfamiliar websites was not sensible. It would be secure to view media at more trustworthy websites.
In addition, the new version contains repairs to several updates and bugs. Some of the prominent fixes were: updated translations, scripts updated to the DVD module and, improved Podcast module.
The VideoLan Project team recommends all its users to update to this latest release immediately to avoid being victim of the malicious flaw.
Interestingly, this is not the first time when security concerns have been raised over VLC Media Player. In 2008 also, a vulnerability was found in the extensively-used open-source VLC media player program that could let the attacker to execute unsafe code on a computer. The problem arises from a buffer excess that can take place when the player processes caption files used for movies.
Related article: Critical Infrastructure Flaw Vulnerable to Hacking
» SPAMfighter News - 25-08-2010