A pair of "highly critical" vulnerabilities in the cross-platform VLC Media Player could put millions of users at risk of remote code execution attacks, according to a warning from security researchers.
The issues, reported in versions 0.5.0 through 0.9.5, could let hackers take complete control of compromised machines through rigged media files. VideoLAN, the open-source group that manages the VLC project, has released patches and strongly recommends that users upgrade to VLC media player 0.9.6.
- An error in the CUE demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted CUE image file.
- An error in the RealText demuxer can be exploited to cause a stack-based buffer overflow via a specially crafted RealText subtitle file.
Exploitation of this issue requires the user to explicitly open a specially crafted file. As with any media player, the standard advice is to avoid from opening files from untrusted third parties or accessing untrusted remote sites.