In association with heise online

10 April 2013, 09:47

I'll name that exploit in one - VirtualDJ hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

VirtualDJ logo

The development team behind DJ software VirtualDJ have released version 7.4 of their software, which fixes a bug triggered when analysing ID3 tags. That bug has subsequently turned out to be a critical security vulnerability. Contrary to statements in the change log that the effects of malformed ID3 tags are limited to crashes, it turns out that the bug can be exploited to inject malicious code.

An exploit Spanish language link utilising the buffer overflow, which is triggered by processing ID3 tags in the Windows version of the software, is already in circulation. The overflow is triggered specifically when analysing the song title (the "title" field). Playing a maliciously crafted MP3 file with VirtualDJ can therefore result in infection. VirtualDJ users, especially those who listen to MP3s from untrusted sources, should migrate to the new version without delay. The update also fixes numerous other bugs in the software.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit