VLC Player Vulnerable to Remote Hijack

Written by Ernesto on March 18, 2008 

VLC Player, one of the best and most widely used media players has found to be vulnerable to a remote hijack. The reported vulnerability makes it possible for a malicious user to run arbitrary code, potentially taking remote control of the host machine.

vlc media playerVLC is a popular media player among BitTorrent users. Not just for the fact that it is free, also because it includes a huge number of the video codecs, so it can play virtually every video file available.

Unfortunately, the latest versions of VLC have a security flaw according to a report from Luigi Auriemma. The vulnerability can be exploited to compromise a user’s system, as it leaves it wide open for a malicious user to run arbitrary code.

The problem occurs when a someone loads a subtitle file, which causes a buffer overflow that can be exploited. The security flaw is platform independent, which means it affects Windows, Mac and Linux users.

Initially it was reported that the flaws in version 0.8.6d were fixed in the latest release, but this turns out not to be the case. Auriemma writes: “The old buffer-overflow in the subtitles handled by VLC has not been fully patched in version 0.8.6e.”

“The funny thing is that my old proof-of-concept was built just to test this specific buffer-overflow and in fact it works on the new VLC version too without modifications,” he adds.

For now, the only solutions are not to run any subtitle files, or to grab one of the nightly builds. The downside is, however, that these might not be as stable as the regular releases.

Previously: Most Popular DVDrips on BitTorrent (wk11)

Next: CBC To Release TV-Show via BitTorrent, For Free

120 Responses (Add yours or TrackBack)

Pages: « 1 [2] 3 4 5 » Show All

26 Mar 19, 2008 at 02:02 by Anonymous

free

what.cd

invite

irc.what.cd

#what.cd-invites

27 Mar 19, 2008 at 02:07 by Anonymous

[quote]Can its codecs be used with any other application? [/quote]

Yes, because they come from another project and are used in many other applications (including mplayer and ffdshow).

VLC USES THE SAME CODECS AS FFDSHOW, EXCEPT FFDSHOW WRAPS THEM FOR USE WITH DIRECTSHOW PLAYERS.

[quote]they are specificaly coded for VLC.[/quote]

If by “specifically coded for VLC” you mean “coded for the ffmpeg project but is used by many other projects, including VLC and ffdshow” then you’re right. But you didn’t mean that as you didn’t say it, so you’re wrong.

Read up;

http://en.wikipedia.org/wiki/Proprietary_software
http://en.wikipedia.org/wiki/Libavcodec
http://en.wikipedia.org/wiki/Libavcodec#Applications_using_libavcodec

28 Mar 19, 2008 at 02:21 by ﻼﻎﻏﻎﻏ

ﺕﮗﮨﺁﮕ what.cd ﺕﮥﺧﮨﺫﯣﺑﭿﷲ ’shutdown by 03/21/08′ RIAA ﭿﺘﮔﺖﭯﮉﭿﮁﺘﮔﺖﭯ

29 Mar 19, 2008 at 02:29 by Anonymous

[quote]Can its codecs be used with any other application? No, they are exclusivly for VLC.[/quote]

They are used in ffdshow.

[quote]they are specificaly coded for VLC.[/quote]

No, they are not. They are coded for the ffmpeg project, many free projects use them, like VLC, mplayer, ffdshow, avidemux, handbrake, etc.

30 Mar 19, 2008 at 03:03 by put it in her butt

http://www.youtube.com/watch?v=_wmylsm9DAs

31 Mar 19, 2008 at 03:19 by ﺖﭯﮉﭿﮁﺘﮔﺖ

que?

32 Mar 19, 2008 at 03:35 by JN

What is the big deal VLC is a nice simple player anyone can load & use. It’s played almost everything just fine for me. For bin/cue movies I use a different player. There are so many players, why is everyone arguing over a player.

I even saw them VLC being used to run movies on a wall of TV’s in Circuit City of all places!?

33 Mar 19, 2008 at 03:37 by JN

What is the big deal VLC is a nice simple player anyone can load & use. It’s played almost everything just fine for me. For bin/cue movies I use a different player. There are so many players, why is everyone arguing over a player.

I even saw VLC being used to run movies on a wall of TV’s in Circuit City of all places!?

34 Mar 19, 2008 at 03:49 by Norm

[quote comment="314057"][quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]

البريّة في العالم، وتقطن الببور الغابات أو الأراضي العشبيّة حيث يساعدها فراؤها المخطط على التموّه بشكلٍ كبير وبالتالي اصطياد فرائس تكون في العادة أكثر رشاقة وسرعةً منها. تحب الببور أن تنزل في الماء بشكلٍ مستمر في الأيام الحارّة، لكنها على عك

u feel me ?[/quote]

Single greatest post on torrent freak ever.

35 Mar 19, 2008 at 04:44 by debarunthepsychic

[quote comment="314197"][quote comment="314057"][quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]

البريّة في العالم، وتقطن الببور الغابات أو الأراضي العشبيّة حيث يساعدها فراؤها المخطط على التموّه بشكلٍ كبير وبالتالي اصطياد فرائس تكون في العادة أكثر رشاقة وسرعةً منها. تحب الببور أن تنزل في الماء بشكلٍ مستمر في الأيام الحارّة، لكنها على عك

u feel me ?[/quote]

Single greatest post on torrent freak ever.[/quote]

Sure is great comment

36 Mar 19, 2008 at 05:55 by Fuzzypig

So what if it ain’t perfect, I hate this sh*t that people talk “Oh it doesn’t do (insert tiny non-consequential feature here) so it’s a pile of crap!” BS. Hey you have a choice, if you don’t like the free stuff, get your wallet out and pay for one or shut up and have a pop at helping to fix it and make it better, even better still write your own better one, that’s the OSS spirit. Living in a semi-free country using OSS, we can at least challenge these things and help improve them, if MS and Mr Jobs had their way we’d all be under their thumbs doing it their way.

37 Mar 19, 2008 at 07:28 by n3l87

This is why I use GOM.

GOM will play everything, subs or even mp4/ipod format vids (not sure if VLC can?).

It also has a much better GUI than VLC (user friendly vs. utilitarian) and drag and drop for playlists.

I’ll never go back to VLC, ever.

38 Mar 19, 2008 at 07:59 by hooded

So where is the code written in the subtitles?

And also couldn’t you just open the subtitles with notepad or text edit and check? I mean if its a script wouldn’t it be easy to search for? like “//” or something?

39 Mar 19, 2008 at 08:07 by King Canute

Try using the 0.9 beta. I’m running it on wintel and linux and had no problems so far - nice new QT4 interface.

40 Mar 19, 2008 at 08:21 by ace hall

[quote comment="314226"][quote comment="314197"][quote comment="314057"][quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]

البريّة في العالم، وتقطن الببور الغابات أو الأراضي العشبيّة حيث يساعدها فراؤها المخطط على التموّه بشكلٍ كبير وبالتالي اصطياد فرائس تكون في العادة أكثر رشاقة وسرعةً منها. تحب الببور أن تنزل في الماء بشكلٍ مستمر في الأيام الحارّة، لكنها على عك

u feel me ?[/quote]

Single greatest post on torrent freak ever.[/quote]

Sure is great comment[/quote]

why,yes,….(blushing)thank q…

41 Mar 19, 2008 at 08:53 by Fragy

[quote comment="314325"][quote comment="314226"][quote comment="314197"][quote comment="314057"][quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]

البريّة في العالم، وتقطن الببور الغابات أو الأراضي العشبيّة حيث يساعدها فراؤها المخطط على التموّه بشكلٍ كبير وبالتالي اصطياد فرائس تكون في العادة أكثر رشاقة وسرعةً منها. تحب الببور أن تنزل في الماء بشكلٍ مستمر في الأيام الحارّة، لكنها على عك

u feel me ?[/quote]

Single greatest post on torrent freak ever.[/quote]

Sure is great comment[/quote]

why,yes,….(blushing)thank q…[/quote]
I’ll just add my part!

42 Mar 19, 2008 at 10:32 by Pissed Off Guy


Just check out subtitles before using them.

43 Mar 19, 2008 at 10:47 by Rekrul

The nightly builds of VLC are less stable than the normal builds? So I guess that means it crashes or screws up 90% of the time instead of just 80%?

The built in codecs are nice, but it sucks at pretty much everything else. It’s slower than any other player, it crashes often, it usually doesn’t display the video until at least 10-15 seconds in and then you have to start it over to see the start, and the full-screen controls are a joke.

They’re trying to add every feature under the sun, but they never actually get any of them working properly before they move onto something else.

44 Mar 19, 2008 at 10:51 by UraPhake

[quote comment="314153"][quote]Can its codecs be used with any other application? No, they are exclusivly for VLC.[/quote]

They are used in ffdshow.

[quote]they are specificaly coded for VLC.[/quote]

No, they are not. They are coded for the ffmpeg project, many free projects use them, like VLC, mplayer, ffdshow, avidemux, handbrake, etc.[/quote]

Are you somehow slightly brain-challenged?

The codec you’re referring to is inside of VLC and cannot be used externally to VLC itself. It doesn’t matter that ffdshow and VLC are both using a build of the libavcodec. VLC does absolutely nothing for anything but itself when it is installed on a given machine, while ffdshow can be utilized by many media players on the same machine. That’s the difference. VLC keeps the codec to its own use, while ffdshow shares the wealth.

Get it yet?

45 Mar 19, 2008 at 10:54 by UraPhake

This forum software is slightly brain-challenged as well, since it quotes myself in the post above instead of “Anonymous.”

Which makes me look brain-challenged for not noticing it beforehand. :)

46 Mar 19, 2008 at 11:10 by Anonymous

[quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]
two shay

47 Mar 19, 2008 at 11:33 by Amomymous

Stop the VLC bashing. I have used it on my Macs since version 4. Was and is a great player. Not many crashes, plays everything except WMV10, playlists work just fine, fullscreen controls are better then QuickTime’s, works with the Apple remote (menu button = fullscreen) and is configurable to the n-th degree. Open Source and free, no file opening lags like QT-player so what’s not to like? I don’t care which codecs it uses, it works and video looks great (except for some WMV9 files). It’s become a cornerstone of my universe and the main reason I don’t use QT, DVD Player or FrontRow.

48 Mar 19, 2008 at 12:11 by JoeRodge

[quote comment="314330"][quote comment="314325"][quote comment="314226"][quote comment="314197"][quote comment="314057"][quote comment="314040"]Luckily for me I speak every language in the world, including dead ones, and therefore don’t need subtitles.[/quote]

البريّة في العالم، وتقطن الببور الغابات أو الأراضي العشبيّة حيث يساعدها فراؤها المخطط على التموّه بشكلٍ كبير وبالتالي اصطياد فرائس تكون في العادة أكثر رشاقة وسرعةً منها. تحب الببور أن تنزل في الماء بشكلٍ مستمر في الأيام الحارّة، لكنها على عك

u feel me ?[/quote]

Single greatest post on torrent freak ever.[/quote]

Sure is great comment[/quote]

why,yes,….(blushing)thank q…[/quote]
I’ll just add my part![/quote]

black people

49 Mar 19, 2008 at 12:59 by R2_

VLC rlz !!!!!!!!!!!
But this GOM is worth a try. I see no point why we should keep on using always the same player,browser,whatever, why not try something new?
The fact that vlc codecs can’t be used from other progs, is a bad point, but doens’t make vlc that bad…

1 references to this post

Pages: « 1 [2] 3 4 5 » Show All

Add your response

It takes approximately 1 minute for your comment to appear on TorrentFreak after it's posted.