Exploit posted for Viewpoint Media Player flaw

Summary:Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.

Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.

Exploit posted for Viewpoint Media Player flaw
The exploit, available at Milw0rm.com, takes advantage of a stack-based buffer overflow in the Viewpoint browser plug-in that sits on millions of computers thanks to bundling deals with AOL, AIM, Netscape and Adobe.

The player serves as the graphics engine for AOL Instant Greetings, AIM Themes and other popular web applications and is also used to power product tours for the Toyota 4Runner and Sony laptop, desktop, and server computing products.

According to "Shinnai," the hacker who discovered the flaw, the exploit was tested on a fully-patched Windows XP Professional SP2 with Internet Explorer 7.

The bug was found in the xMetaStream.dll (version 3.3.2.26), which is marked as safe for scripting.

The AxMetaStream activex contains various methods which accept parameters as String. All these methods are vulnerable to a stack based buffer overflow when you pass an overly long (greater than 6999 characters).

In the absense of a patch, Shinnai recommends uninstalling the Viewpoint Media Player.

"Shinnai" was the hacker behind the Month of ActiveX Bugs project.

Topics: Security, Hardware, Mobility

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.