March 18, 2008

Malicious subtitle file could trip up VLC media player

Security advisory warns that attackers could use a buffer overflow flaw in VLC to execute malicious code in a subtitle file and tamper with a PC

A flaw in the widely used open source VLC media player could allow an attacker to execute harmful code on a PC.

The problem stems from a buffer overflow that can occur when the player processes subtitle files used for movies, according to a security advisory.

The vulnerability existed before VLC was upgraded to version 0.8.6e in late February, but the bug appears to have escaped the last round of patches, wrote Luigi Auriemma in a note.

"The funny thing is that my old proof-of-concept was built just to test this specific buffer overflow, and in fact it works on the new VLC version too without modifications," Auriemma wrote.

Video files can contain a link to a separate subtitle file, which VLC automatically loads when it plays the video. An attacker could use the buffer overflow flaw in VLC to execute malicious code contained in a subtitle file, and thus tamper with a PC. The flaw affects VLC players running on Windows, Mac, BSD, and possibly more operating systems, Auriemma wrote.

The VLC media player is part of the VideoLAN project. The player is free, and it is released under the GNU General Public License. VLC can also be used as a streaming media server for a variety of platforms.

Sign up to receive Security Resource Alerts

Subscribe to the Security Central Newsletter

The one-stop resource center for IT professionals.

White Paper

CA Security Management Solutions

A comprehensive security management solution can help you streamline, as well as grow, your current or evolving business. In this way, a strategic security approach can help you increase your competitiveness in these challenging market conditions.

Download now! »

White paper

Beyond Compliance: The Significant Benefits of Log Management

Find out how you can effectively collect, normalize and archive enterprise-wide, security-related data that is invaluable for security investigation and compliance reporting.

Download now! »

Webcast

Integrated Identity Compliance: Enabling Cost-Effective Role-Based Compliance

This session focuses on the intersection of role management and identity compliance, and addresses the importance of identity compliance in enterprise governance and the challenges that organizations may face in achieving it.

View now! »
©1994-2009 Infoworld, Inc.