Two nasty exploits found in VLC Media Player core library

Posted on Tuesday, January 20 2015 @ 15:16 CET by Thomas De Maesschalck

A Turkish security researcher discovered two vulnerabilities in the library code used by VLC Media Player and other software. The bugs can lead to arbitrary code execution but despite the severity the risk seems somewhat limited as the exploit requires specially crafted FLV or M2V file and most users rarely come into contact with these file types.

The bugs were reported to VLC's developers on December 26, 2014 but the fix hasn't reached the latest stable version of VLC yet.

VLC's developers, Videolan Software, were informed of the flaws on Boxing Day and had not issued fixes for the latest stable version, 2.1.5, by the time of disclosure 9 January. Version 2.2.0-rc2, available to testers, is not vulnerable, according to the VLC project's bug tracker.

The developers have been contacted for comment. Judging by entries in the VLC bug tracker, here and here, the flaws lie within libavcodec, a core component of the video player. This library is also used by MPlayer and other open-source software.

Source: The Register

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments

Share this story!