X
Tech
Home Tech Security

Exploit posted for Viewpoint Media Player flaw

Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.
Written by Ryan Naraine, Contributor

Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.

The exploit, available at Milw0rm.com, takes advantage of a stack-based buffer overflow in the Viewpoint browser plug-in that sits on millions of computers thanks to bundling deals with AOL, AIM, Netscape and Adobe.

The player serves as the graphics engine for AOL Instant Greetings, AIM Themes and other popular web applications and is also used to power product tours for the Toyota 4Runner and Sony laptop, desktop, and server computing products.

According to "Shinnai," the hacker who discovered the flaw, the exploit was tested on a fully-patched Windows XP Professional SP2 with Internet Explorer 7.

The bug was found in the xMetaStream.dll (version 3.3.2.26), which is marked as safe for scripting.

The AxMetaStream activex contains various methods which accept parameters as String. All these methods are vulnerable to a stack based buffer overflow when you pass an overly long (greater than 6999 characters).

In the absense of a patch, Shinnai recommends uninstalling the Viewpoint Media Player.

"Shinnai" was the hacker behind the Month of ActiveX Bugs project.

Editorial standards
Show Comments

Related

Microsoft Copilot

7 reasons I use Copilot instead of ChatGPT

pxl-20240424-181716738

Facebook's Meta AI is lying when it says you can disable it - but here's what you can do

asus-zenbook-14-main

The work laptop I recommend to most people is not made by Apple or Lenovo