Memory Corruption Bugs Found in VLC Media Player

VLC bug

There are two memory corruption vulnerabilities in some versions of the VLC open-source media player that can allow an attacker to run arbitrary code on vulnerable machines.

Neither one of the vulnerabilities has been fixed by VideoLAN, the organization that maintains VLC. Security researcher Veysel Hatas reported the vulnerabilities to VideoLAN in December and published the advisories on Full Disclosure on Friday. One of the bugs is a DEP access violation vulnerability and the other is is a write access flaw.

Both vulnerabilities affect version 2.1.5 of VLC media player, but only on the outdated Windows XP operating system. While XP is no longer supported by Microsoft and is several versions out of date, it still is used widely in developing countries and in embedded devices, as well.

“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code,” the advisory says.

The description of the second vulnerability is much the same.

“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file. This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code,” the advisory says.

There are no patches available for the vulnerabilities, according to the advisory.

Suggested articles

st. ambrose catholic parish fraud email scam

BEC Hack Cons Catholic Church Out of $1.75 Million

An Ohio parish lost a whopping $1.75 million after attackers breached two employees’ email accounts – and then tricked other employees into sending wire transfers to a fraudulent bank account.

Discussion

  • Anonymous on

    Why go full disclosure, and not just fix it? VLC is open source software after all!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.