Tech
Remote code execution flaw in VLC Media Player
Researchers at Secunia have found a "highly critical" vulnerability that puts users of the cross-platform VLC Media Player at risk of remote code execution attacks.The vulnerability is confirmed in version 0.
Researchers at Secunia have found a "highly critical" vulnerability that puts users of the cross-platform VLC Media Player at risk of remote code execution attacks.
The vulnerability is confirmed in version 0.8.6h on Windows. Prior versions may also be affected. A patch is expected soon from the VLC team.
According to statistics from VLC, the download count for the open-source media player exceeds 89 million.
From the Secunia advisory:
The vulnerability is caused due to an integer overflow error within the "Open()" function in modules/demux/wav.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk. Successful exploitation may allow execution of arbitrary code.
Secunia recommends that VLC users avoid opening untrusted WAV files.