VLC player vulnerability allows hackers to execute arbitrary code.
The VideoLAN project is a community of non-profit developers who create open-source multimedia tools. The VLC player is one of the most well-known results of this project, and acts as a cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols.
A Turkish hacker has revealed two zero-day vulnerabilities in library code used by the popular VLC media player and others.
The data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities could lead to arbitrary code execution, researcher Veysel Hatas said in a post.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV” or M2V file, Hatas said.
“This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”
The bugs are apparently present in version 2.1.5 of VLC, tested on Windows XP SP3. Microsoft no longer supports this version. Neither of the vulnerabilities have been addressed, despite being reported to the VideoLAN project on 26 December.