Security Market Segment LS
Tuesday, 14 April 2015 11:48

Five year old vulnerability still not fixed: Bitdefender


Security vendor Bitdefender says a vulnerability in "the third most popular media player" hasn't been fixed despite being identified five years ago.

According to Bitdefender Research, a buffer overflow vulnerability in BS.Player 2.57 that was identified in 2010is still present in the current 2.68 version.

BS.Player (we're guessing it wasn't named by a native English speaker) claims to have more than 70 million users, and its developer describes it as "one of the best multimedia players in the world."

Bitdefender Research says a buffer overflow can be triggered by a .m3u file containing a long URL. The problem is that one of BS.Player's modules copies the URL into a stack-allocated buffer without first checking that it can fit (bounds checking).

A maliciously crafted URL can thus be used to execute arbitrary code, which is a Bad Thing. It could potentially be used to introduce any type of malware onto affected computers: "anything from a run-of-the-mill Trojan to full-blown ransomware" or even what are known as advanced persistent threats, according to Bitdefender.

The vulnerability can be exploited on Windows XP and Windows 7 - but not on Windows 8 as Structured Exception Handler Overwrite Protection is enabled by default.

Bitdefender pointed out that buffer overflow exploits are often missed by security software as the code being executed appears to be part of a known, legitimate application.

So "A little caution can go a long way and as such, it is best to avoid opening email attachments from suspect sources or clicking on strange links received either via email or social networks."

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments