A recently discovered critical buffer overflow vulnerability in certain versions of VLC Media Player software program could allow attackers to remotely execute malicious code. The flaw, discovered by researcher Debasish Mandal, affects versions 2.0.5 and earlier. A fix is scheduled for VLC’s release of version 2.0.6, VideoLAN, the non-profit that develops the software, announced on its website.
The vulnerability exists due to an error in the “DemuxPacket()” function that VLC uses to handle Advanced Streaming Format (ASF) video files, and it can be exploited by a user opening a specially crafted ASF file. While it is mitigated by the fact that a user must explicitly open the dangerous file, the threat has been rated as “highly critical” by security research firm Secunia.
“If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player’s process,” the VideoLAN website explained. “In some cases attackers might exploit this issue to execute arbitrary code within the context of the application, but this information is not confirmed.”
VideoLAN recommended users avoid opening files from untrusted third parties or accessing suspicious remote sites. Alternately, users can disable VLC browser plugins until the patch is applied. VLC installs plugins for embedded video playback by default in Mozilla Firefox, Internet Explorer, Google Chrome, Apple Safari, Opera and Konqueror, Computerworld noted. The ASF demuxer (libasf_plugin.*) can also be manually removed from the VLC plugin installation directory.
To mitigate the need for vulnerability patches such as this one, developers can improve software security in the coding process. By using tools such as source code analysis software, programmers can catch flaws such as buffer overflows before they are released.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.