In association with heise online

29 August 2008, 11:37

New security hole in VLC video player

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A new critical security hole has been found in the VLC player from the VideoLan project, while there is still no public fix for the previous security hole found two weeks ago. The new vulnerability has been found in the handling of mmst:// URLs. If a user opens a URL of this form that points to an attacker's server, the server can deliver crafted data that will cause a buffer overflow on the heap, which could lead to remote code execution, according to a advisory note from Orange Bat.

In tests, heise Security found that both the Windows version, 0.8.6i, and Linux version, 0.8.6e, of VLC crashed when accessing a compromised stream, confirming the existence of the problem. VLC's developers were notified by third parties about the issue and a fix has been applied to the source code in the VLC version management system. There is no date though for an update to VLC to make the fix generally available.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit