VideoHelp Forum




+ Reply to Thread
Results 1 to 5 of 5
  1. 18th Mar 2008 10:54 #1
    marioval
    marioval is offline
    Member
    Join Date
    Oct 2007
    Location
    United States
    Search Comp PM
    Just an FYI, found this at yahoo News:

    A flaw in the widely-used open-source VLC media player could allow an attacker to execute harmful code on a PC.
    ADVERTISEMENT

    The problem stems from a buffer overflow that can occur when the player processes subtitle files used for movies, according to a security advisory.

    The vulnerability existed before VLC was upgraded to version 0.8.6e in late February, but the bug appears to have escaped the last round of patches, wrote Luigi Auriemma in a note.

    "The funny thing is that my old proof-of-concept was built just to test this specific buffer overflow, and in fact it works on the new VLC version too without modifications," Auriemma wrote.

    Video files can contain a link to a separate subtitle file, which VLC automatically loads when it plays the video. An attacker could use the buffer overflow flaw in VLC to execute malicious code contained in a subtitle file, and thus tamper with a PC. The flaw affects VLC players running on Windows, Mac, BSD and possibly more operating systems, Auriemma wrote.

    The VLC media player is part of the VideoLAN project. The player is free, and it is released under the GNU General Public License. VLC can also be used as a streaming media server for a variety of platforms.
    Quote Quote  
  2. 18th Mar 2008 12:48 #2
    redwudz
    redwudz is offline
    Mod Neophyte redwudz's Avatar
    Join Date
    Sep 2002
    Location
    USA
    Search Comp PM
    But your malware scanning programs should detect the malicious subtitle before it get to VLC.
    Quote Quote  
  3. 18th Mar 2008 12:51 #3
    oldandinthe way
    oldandinthe way is offline
    Member oldandinthe way's Avatar
    Join Date
    Mar 2006
    Location
    With the other crabapples
    Search Comp PM
    Originally Posted by redwudz
    But your malware scanning programs should detect the malicious subtitle before it get to VLC.
    Possibly, but not necessarily. It may not assume that a subtitle file is executable and therefore not recognize the risk.
    Quote Quote  
  4. 18th Mar 2008 13:40 #4
    lacywest
    lacywest is offline
    Member lacywest's Avatar
    Join Date
    Aug 2001
    Location
    California
    Search Comp PM
    Send a message via ICQ to lacywest
    I dont use subtitles ... and I have no desire for any video with subtitles
    http://hexenmod.net/
    Quote Quote  
  5. 18th Mar 2008 13:57 #5
    jman98
    jman98 is offline
    Banned
    Join Date
    Oct 2004
    Location
    Freedonia
    Search Comp PM
    The quick fix for VLC would be to simply disallow the automatic loading of subtitles (I had no idea this was even possible) and force to you manually specify the subtitle file to use (what I do), which you presumably would at least look at prior to opening to be sure it's really subtitles and not malicious code.
    Quote Quote  



Similar Threads

« Previous Thread | Next Thread »
Visit our sponsor! Try DVDFab and backup Blu-rays!