Long-time vulnerability in media player patched

Stephen Withers
Tuesday, 11 November 2008 02:31

Business IT - Open Source

Popular media player VLC has been updated to protect against a vulnerability that could allow the execution of arbitrary code.

The free and open source VLC media player is widely used on Windows, Mac OS X, Linux and other operating systems, largely because of the wide range of multimedia formats it can handle without requiring the user to install additional codecs. Version 0.9.x has been downloaded over 15 million times.

Some Mac owners use VLC in place of the standard DVD Player application for watching DVDs, as it provides a workaround for the region-locking 'feature' that isn't as easily disabled on a Mac as it is on other platforms. (That's particular source of frustration in Australia, where region coding is not a legally enforceable technological protection measure.)

It's also useful for transcoding media files, and can be used as a streaming server.

So what has been fixed in the software?

All versions of VLC media player from 0.9.5 (released in late October) right back to 0.5.0 are vulnerable to attacks via maliciously crafted CUE image files or RealText subtitle files. Such files could exploit stack-based buffer overflows to execute arbitrary code.

Version 0.9.6 fixes these issues, and was released two days after the VideoLAN Project team was notified of the problem by Tobias Klein.

All users are advised to upgrade to the new version, which is available via the VideoLAN home page.