Tuesday, January 20, 2015

Libavcodec bug threatens Windows XP VLC users

This just in from PCWorld.com:

"Watch out Windows XP diehards: if you run the open source media player VLC you may be vulnerable to malicious attacks. A bug discovered in November affecting VLC was recently made public on Full Disclosure, a security-focused mailing list.

The reported bug (dubbed CVE-2014-9597) allows a specially crafted video file with the FLV file extension opened in VLC 2.1.5 to corrupt memory. This could then allow the attacker to execute any code they want on the target machine. The vulnerability was tested on Windows XP SP3.

Why this matters: A bug that affects Windows XP may not be much of a worry for most users as XP’s user base has been slowly declining. But there are still some diehards holding on to the OS—around 18 percent of PC users worldwide run XP, according to Net Market Share.

While the bug apparently affects VLC users, it doesn’t appear to be an issue with VLC itself. Instead, the bug is caused by libavcodec, Jean-Baptiste Kempf, president of VideoLAN, the non-profit behind VLC, confirmed to PCWorld. Libavcodec is a third-party code library for encoding and decoding video and audio, maintained by FFmpeg. Kempf also said that he was unable to replicate the bug on Windows.

Whether or not the bug is a serious concern for users, the threat may not be long lived anyway. Kempf says the second release candidate for VLC version 2.2.0 fixes the issue. Concerned XP users can download and try out the release candidate from VideoLan."

No comments: