In association with heise online

03 January 2007, 11:01

Month of Apple Bugs: hole in VLC media player [Update]

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

After the critical hole in Apple's QuickTime was reported, the next critical hole in the Month of Apple Bugs (MOAB) concerns the alternative VLC media player. Apple's Mac OS X operating system is affected, among others. While the flaw does occur on other platforms -- the weak point has at least been confirmed for Windows as well -- the initiators are not concerned about that; rather, they wish to demonstrate that Mac OS X and the applications developed for that operating system, are not, by their very nature, immune to critical security leaks.

The hole reported today results from a format string weak point in the processing of the URL udp://. A special string added to udp:// URLs allows code to be injected and executed with the registered user's rights. The victim must first transmit the prepared URL to the VLC media player. Depending on the system configuration, simply clicking on a link or loading a play list may suffice. The discoverers of the hole have provided exploits in Perl to demonstrate how easily the return address can be manipulated on the Mac OS X stack, running on a PPC or x86 platform.

VLC 0.8.6 is affected, as probably are previous versions and other operating systems. There is no patch yet. The error report proposes a workaround: disable the udp:// URL handler or uninstall VLC.

The developers of VLC meanwhile have included a patch in their CVS. Landon Fuller, maintainer of macports, provides a patch in source and binary form. In addition he also provides an unofficial patch for the Quicktime hole, published yesterday. But you'll need to install the free Application Enhancer to use those binary patches.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit