14 DAY TRIAL // The VideoLAN Organization has published patches to address a critical vulnerability in VLC media player that can be exploited to execute arbitrary code.
The flaw is located in the MP4 demultiplexer and is caused by an error in the "MP4_ReadBox_skcr()" function.
The vulnerability can be exploited by tricking users to open a specially crafted MP4 file which would a cause a heap-based buffer overflow and allow code execution.
The bug was reported by Aliz Hammond in VLC media player 1.1.8, but older versions might also be affected.
Vulnerability research vendor Secunia rates the flaw as highly critical because it can be exploited remotely through the VLC ActiveX control or Firefox plug-in.
Fortunately, the Mozilla plug-in is not installed by default so most Firefox users are probably not exposed to drive-by download attacks targeting this vulnerability.
VLC developers advise users to refrain from opening files from unknown sources and to remove the MP4 decoder plugin (libmp4_plugin.*) manually from the VLC installation directory, until a fixed version of the player is released.
At the moment, only source code patches are available. This means that Linux vendors can upgrade their individually-maintained packages, but the VideoLAN-provided Windows and Mac OS X binaries will remain vulnerable until VLC media player 1.1.9 ships.
This vulnerability comes days afater a flaw was disclosed in libmodplug, a third-party library included in VLC. The plug-in version shipped with the media player remains vulnerable at the time of writing this article.
The VideoLAN project didn't announce the libmodplug vulnerability because, according to its security center page, it "does not issue security advisories for underlying third party libraries."
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively. It is open source and is distributed under the GNU General Public License.