A researcher by the name of  Debasish Mandal has found critical command executing vulnerability on the latest versions 2.0.5 and earlier on famous VLC media playing software that can be exploited by attackers to execute malicious code on computers via ASF files. vlc-media-player-vulnerability

The developers at VLC organization have published an advisory according to which the vulnerability is located  in media player’s component responsible for playing ASF (Advanced Streaming Format) video files. 

The advisory states that: 

Security Advisory 1302

Summary           : Buffer Overflow in ASF Demuxer
Date              : January 2013
Affected versions : VLC media player 2.0.5 and earlier
ID                : VideoLAN-SA-1302
CVE reference     : CVE-XXXX-XXXX

Details

When parsing a specially crafted ASF movie, a buffer overflow might occur.

Impact

If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player’s process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application but this information is not confirmed.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a specially crafted ASF movie.

Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the ASF demuxer (libasf_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent ASF movie playback.

Solution

This issue is addressed in VLC media player 2.0.x source code repository by replacing a macro with a static inline and improved bounds checking.

This patch is included in VLC’s future 2.0.6 release.

Windows and Mac OS X builds can be found on the VideoLAN nightlies website.

To read complete details and advisory, visit the official website of VLC.

Source and credits: VideoLan.org


Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.