Vulnerabilities have been discovered in some versions of the popular VLC media player which may allow a cyberattacker to corrupt memory and potentially execute arbitrary code.
According to security researcher Veysel Hatas, who posted the discovery on Full Disclosure last week, one of the vulnerabilities is a DEP access violation vulnerability and the other is a write access flaw.
The VideoLAN project is a community of non-profit developers who create open-source multimedia tools. The VLC player is one of the most well-known results of this project, and acts as a cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.
The first security vulnerability, discovered on 24 November last year, is a flaw which is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. The second vulnerability, much the same, is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file -- both of which may be malicious and lead to a "context-dependent attacker corrupting memory and potentially executing arbitrary code."
Considered severe, the flaws are present on version 2.1.5 of VLC media player, and were tested through Windows XP SP3. While this legacy operating system is no longer supported by Microsoft, many users worldwide have not yet updated and may be vulnerable.
The vulnerabilities were reported to the VideoLAN project on 26 December 2014, but no patch has been issued to fix the problem.
Read on: In the world of security
- Botnets in 2014: ZeuS surge, lax policies place Web users at risk
- FTC finalizes charges against Snapchat over user privacy
- Bluster, bravado and breaches: Today's 'terrorist' players in cybersecurity
- Hackers infiltrate White House network
- FireEye predictions for cybersecurity in 2015
- Analysis casts doubt on FBI claims over Tor website seizures
- High volume DDoS attacks rise in Q3 2014
- Apple iOS Masque flaw dangers: Communication app infiltration discovered
- UK hires hackers, convicts to defend corporate networks
- ZeuS variant strikes 150 banks worldwide