14 DAY TRIAL // A critical zero-day vulnerability has been discovered in VLC media player and can potentially be exploited to execute arbitrary code on a user's system.
The flaw is located in libmodplug, a third-party library used to load and render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound.
The libmodplug package is present by default in many Linux distributions, including Debian, Fedora, Ubuntu, Gentoo, as well as some media players.
"The vulnerability is caused due to a boundary error within the "CSoundFile::ReadS3M()" function in src/load_s3m.cpp, which can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted S3M file," vulnerability research vendor Secunia explains.
The flaw was discovered by M. Lucinskij and P. Tumenas of the SEC Consult Vulnerability Lab and was patched in libmodplug 0.8.8.2, released at the beginning of April.
However, the latest VLC binary packages, such as those for Windows and Mac OS X, still contain an outdated version of the library.
Because there is still no patch for VLC and proof-of-concept exploit code is publicly available, Secunia rates the vulnerability for the media player as highly critical.
VLC provides a Firefox plug-in and an IE ActiveX control, therefore, there is also a risk of attacks from Web pages that would load maliciously crafted S3M files.
A temporary solution is to disable the VLC browser plug-ins until a patched version of the media player is released. Not opening .S3M files from untrusted sources is equally important.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively without the need of additional codecs. It is open source and is distributed under the GNU General Public License.