14 DAY TRIAL // Two yet-to-be-patched vulnerabilities have been disclosed in VLC media player and can potentially be exploited by attackers to execute arbitrary code.
According to vulnerability research company Secunia, who rates the flaws as highly critical, they affect the third-party libmodplug plugin which is included in VLC.
The vulnerabilities were discovered and disclosed as zero-days complete with proof-of-concept exploit code by a user calling himself epiphant.
"The vulnerabilities are caused due to boundary errors within the 'abc_new_macro()' and 'abc_new_umacro()' functions in src/load_abc.cpp, which can be exploited to cause stack-based buffer overflows by tricking a user into opening specially crafted ABC files," Secunia explains in its advisory.
The libmodplug package is present by default in many Linux distributions, including Debian, Fedora, Ubuntu, Gentoo, as well as some media players.
It is used used to load and render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound.
The vulnerabilities were confirmed in VLC media player 1.1.9 for Windows, but other versions could also be vulnerable. In addition, they might affect only pre-compiled VLC packages, like those available for Windows and Mac.
Since VLC provides plug-ins for both Firefox and Internet Explorer, there is a risk that these vulnerabilities being exploited in drive-by download attacks.
It would be sensible to disable the VLC browser plug-ins, at least until the libmodplug maintainers and VLC developers have a chance to patch the flaws.
Users are also advised to exercise caution when opening files obtained from the Internet or other untrusted sources, like network shares, etc.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively without the need of additional codecs. It is open source and is distributed under the GNU General Public License.