In association with heise online

14 July 2011, 11:14

VLC Media Player vulnerable to heap overflow exploits

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

VLC Logo According to the VideoLAN project, the popular VLC Media Player is susceptible to two heap overflow vulnerabilities in the Real Media and AVI file parsers. These holes, rated as "Highly critical" by security specialist Secunia, could be exploited by an attacker to crash the player or possibly execute arbitrary code on a victim's system. For an attack to be successful, a user must first open a specially crafted malicious file.

The vulnerabilities, discovered by Hossein Lotfi, have been confirmed to affect the latest 1.1.10 release of VLC, from early June. According to the VLC developers, an upcoming maintenance and security update, VLC 1.1.11, will address these problems and introduce further stability fixes.

Until an update is available, users are advised to refrain from opening files from untrusted sources. Alternatively, the developers note that users can remove the RealMedia plugin (demux/libavi_plugin.*) to prevent any use of AVI or Real Media files.

Update: Version 1.1.11 of VLC has been released to address the above vulnerabilities. The update also offers several other improvements.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit