14 DAY TRIAL // A pair of memory corruption vulnerabilities have been discovered in libavcodec, the open-source codec library used in version 2.1.5 of VLC Media Player, which is currently the latest stable release of the program.
If successfully exploited, an attacker could gain the ability to execute arbitrary code on a machine running the buggy video player. This would be achieved through memory corruption triggered by a file with certain particularities.
Demo files have been created
The glitches were found by Turkish security researcher Veysel Hatas, who says that he contacted the developer and delivered his findings on December 26, 2014.
One of the flaws, a data execution prevention access violation tracked as CVE-2014-9597, can be leveraged against a user through a maliciously crafted FLV file.
The other is identified as CVE-2014-9598 and is a write access violation vulnerability that can be triggered in exactly the same way, but uses an MV2 file type instead. In both cases, the user would have to be tricked to load the malicious file into VLC.
For demonstration purposes, Hatas created two files that would trigger the bugs and also posted tickets in VideoLan’s issue tracking system. At the moment, the ticket is closed on account of the fact that the libavcodec library is at fault, not the media player.
VLC 2.2.0 is not impacted by the security flaws
Hatas says in an advisory that the bugs were discovered on November 24. He reported the memory corruption problems on December 26, but it appears that they are still present in the latest stable release of the media player.
According to the researcher, he found the faulty behavior by testing on Windows XP with its latest service pack installed.
Although version 2.1.5 of the program includes the buggy libavcodec, the developers say that the two issues are not present in VLC 2.2.0, which is currently available as a second release candidate, meaning that it is quite stable and only a small batch of quirks need to be ironed out.
Important to note is that libavcodec is used by other free media players, such as MPlayer, as their main decoding engine.
VLC enjoys huge popularity on all supported platforms (Windows, Mac, Linux), with more than one billion downloads. The application is also available for mobile platforms Android, iOS and Windows Phone.