VLC Player Vulnerable to Remote Hijack
VLC Player, one of the best and most widely used media players has found to be vulnerable to a remote hijack. The reported vulnerability makes it possible for a malicious user to run arbitrary code, potentially taking remote control of the host machine.
VLC is a popular media player among BitTorrent users. Not just for the fact that it is free, also because it includes a huge number of the video codecs, so it can play virtually every video file available. Unfortunately, the latest versions of VLC have a security flaw according to a report from Luigi Auriemma. The vulnerability can be exploited to compromise a user’s system, as it leaves it wide open for a malicious user to run arbitrary code.
The problem occurs when a someone loads a subtitle file, which causes a buffer overflow that can be exploited. The security flaw is platform independent, which means it affects Windows, Mac and Linux users.
Initially it was reported that the flaws in version 0.8.6d were fixed in the latest release, but this turns out not to be the case. Auriemma writes: “The old buffer-overflow in the subtitles handled by VLC has not been fully patched in version 0.8.6e.”
“The funny thing is that my old proof-of-concept was built just to test this specific buffer-overflow and in fact it works on the new VLC version too without modifications,” he adds.
For now, the only solutions are not to run any subtitle files, or to grab one of the nightly builds. The downside is, however, that these might not be as stable as the regular releases.
Source – Torrentfreak
Comments(66)
pwnd
1 more reason to go MKV, the subs are embedded
that is a scary thing to hear. but lucky for me i dont use subs a lot so i should be good for now.
hahaha funny
i use media player classic so no worries
Media player classic+ffdshow = better. Much better.
this is fear mongering.
there is a 0% chance that you are going to download rigged subtitle files. if someone knows where to get them, let me know and i’ll run them myself.
kenii instead of choosing a good, proven open source app like VLC to ‘pick on’ next tech news i’m going to fight back by posting security faults of stupid windows apps.
glad i’m not using this player..have anyone test this code?
@7
Completely agreed.
nr8 wrote:”glad i’m not using this player..have anyone test this code?”
You really should give it a try.
VLC is one of the most respected projects in Free/Open Software world.
Thousands of people dig in its code on a daily base.
Unlike others, they don’t hide their problems (obviously a good thing).
http://www.youtube.com/watch?v=_wmylsm9DAs
MPC here, too.
I agree with Mr.X and others on this one
(and also, not to trust a guy that thinks ‘Kennii’ is a cool spelling)
#2 Nothing stops peoples to pack in those subs into mkv’s either LOL.
lol at ***dows users
Way to go Mr. X!
Ppl Pls remember that this is a proof of concept exploit that is not in the wild. And since it has already been taken care of in the nightly builds(which are not that much unstable as the reviewer seems to think), a “proper” should be on it’s way soon enough(it’s really rare to see an app gets :nuked: nuked :nuked: in here
– so I woul’d rather enjoy it & take it as a funny incident!).
this isn’t good for me because i use subtitles all the time because i am partially deaf. is there anyway i can still use subtitles and not get remotely hijacked?
timo: make the smart choice–switch over to CCCP + Mediaplayer Classic. Works just as well as VLC, and even better in some aspects.
http://www.cccp-project.net/
Windows Media Player FTW !
Or even better, just install the smaller ffDshow package and enjoy enen more codecs & stable quality in teh Win Media Player itself that uncle Bill has gifted us all for free. It uses the same Mplayer rendering engine wich is the best for watching Vids IMO.
ile just keep to my version 0.8.6c just to be safe
Firewall.
i agree with mr x its just fear mongering, what is the chance of getting hacked anyway? ive never been hacked “yet”
KMP FTW!!!
The best!
Same sentiment as MrX.
To put this into perspective, common software like MS Office/ Firefox and Norton AV all have outstanding vulnerabilities (as in 3 years+ of the same unfixed vulnerabilities).
In the end of the day, a smart user will not need any security software if said user understands the concept of “trusted sources (like rlslog!).”
@9 If you don’t like my posts just scroll right pass them, I really don’t care
Yeah, I also agree that KMPlayer is better. I’ve used both VLC and KMPlayer and I feel that KMPlayer offers more functionality and is easier to navigate for all levels of users.
@18
easy just unplug the internet while ur watching a movie
i always knew windows media player was the safest…
no codec available??? nsfw
I honestly don’t see this a fear mongering. RLSLOG postings tend to be video related predominately, and the site likely gets a lot of traffic based around that fact. It’s always good to spread the word about a potential security flaw, especially if it’s a popular program. The more folks that know, the more pressure there will likely be on the developer to fix their application quickly.
Personally I like VLC, though I feel a lite version would be a nice option to have. Having tons of features is cool, but can also be a bit overwhelming. Featureitis can sometimes lead to unnecessary bloat as well (think Nero lol).
Sadly, the PC I’m using with my HT often has trouble with stuttering. Especially HD content. Admittedly this PC might be considered by some to be borderline power-wise for what it’s used for, and is likely why most of the playback software out there also tends to suffer from these same stuttering issues. Here are the basic specs:
ASUS P4P800-E Deluxe, Intel Pentium 4 2.66 GHz, 1 GB of DDR RAM, one 300GB SATA Maxtor HDD (for OS), two IBM 1TB SATA drives in RAID-0 (for mass storage), using built-in SPDIF for audio (Realtek), and Nvidia 6800 GT for video (DVI-to-HDMI cable, desktop set to 720p).
This is why I always end up falling back to MPC. It’s the only program I’ve found to work 100% of the time without any issues at all when playing HD video. Fwiw, I don’t use any codec packs either, only the few codecs I actually need (XviD, AC3Filter, CoreAVC+Haali, QT Alternative).
Simple: DON’T USE SUBS
isn’t vlc an open source application?
can’t people crucify this malicious programmer?
happy easter!
sunday he’ll be back
Yeah people, use WMP where bugs aren’t public, instead of an application where the nightly builds *already* include a fix . . . mmm, doesn’t closed source give that warm ignorant feeling of security?
(Personally I prefer Kaffeine or KPlayer, KDE frontends for Xine and Mplayer respectively, but VLC fills a good role and I only dislike it because it doesn’t integrate into my desktop environment very well).
@7: Mr. X
Well said mate. Its good to see support for such a brilliant App.
@Kennii – no one cares. VLC is still the best player around. Stop being such a ghey.
I had a feeling that Kennii may have been an imbecile. It started when he admitted that his real name was Kenny, but he found his spelling to be ‘cooler’.
My suspicions grew with his tedious and poorly written reviews.
The woeful lack of intelligence and knowledge shown in this post has sadly confirmed my fears.
For shame Kenny(ii), for shame.
still using wmp~~
personal preferences are ok, personal diatribes just brings the whole thing down to school yard level, but ob most you yous are comfortable there
And as soon as the exploit is posted it is in the wild,
doesnt matter what you d/l or how stupid/smart you are
I often check edonkey type stuff for subs cause im lazy lol, so if I used VLC i would have been a bit more careful about doing that in the future.
so bet someone should be thanking kennii, might as well be me
btw ie7 is much better than firefox, and my dad is bigger than yours
PSHHH VLC rocks >.> simple easy and i dont use subs anyways. Are there alot of deaf people watching movies or something? sheesh turn up the damn volume!!! <.<
The last thing i want to do when watching a movie is READ O.O
That would suck if while blowing my load I was remotely hijacked
This exploit is old in terms of exploits, it was released to the public on 14th March ‘08, and by now thousands of people would of downloaded, compiled, and be using it. By the looks of it, it creates a special .avi file, so be on the look out for anyone sending you small .avi files.
Exploit here:
http://milw0rm.com/exploits/5250
~Untamed
Subs users are mainly from non speaking English countries.
Beside VLC I normally use BSplayer when using subs.
Nevermind about the ‘be on the look out for small .avi files’, I’ve just had a closer look at the exploit and it creates a .ssa file and a .avi file, so be on the look out for suspicious .ssa files.
~Untamed
@ 27: VLC can show .idx if the the sub-file is in .sub format and not .rar format.
But that usually makes it too big to burn to 1 cd (together with the movie of course)
I used to use MPC+FFDshow
but now I’m on vlc. Just on less ‘program’ to install on my computer
As a long time vlc user I find it funny when I read things like “MPC+FFDshow” or “CCCP + Mediaplayer Classic”. Don’t you see the point?
It’s just “vlc”, not “vlc plus other things”. It works out of the archive without any issues on multiple platforms. I use the KISS principle, and vlc is the right answer.
WOW!!! I saw the first line and said to myself:
“Copied and pasted from torrentfreak”
It is. Word of advice. TorrentFreak went as far as making up a complete interview with aXXo and plugging that fake site named after him…to me these people are the enemy and should be treated thusly. Torrentfreak is no different than Truth.org commercials.
Try this little experiment: play a simple mp3 song in VLC and monitor the cpu usage. Should stay close to zero all the way. If not, you know it’s poorly programmed (unstable). MPC + ffdshow + CoreAVC for the win !
OSX nightly builds are not available for a year now. crap.
Damn!!!!!! Its scary…
Use bsplayer..!!!!
“For now, the only solutions are not to run any subtitle files, or to grab one of the nightly builds. The downside is, however, that these might not be as stable as the regular releases.”
This seems to imply that the regular releases are actually stable, which has been far from my experience.
VLC has a lot of features, but none of them are particularly well implemented.
They will fix it soon but no worries for me since I use Dziobas rar player so I dont have to extract my rar archive
SMplayer has better decoders, compare for yerself.
I’ve been a vlc user 3 years, no back.
I use VLC, but like KMPlayer a lot more, it plays everything with lots of features and options.
KMPlayer 2.9.3.1428 the latest stable release
http://www.kmplayer.com/forums/showthread.php?t=8351
KMPlayer 2.9.3.1430 the latest Beta release
http://www.softpedia.com/get/Multimedia/Video/Video-Players/KMPlayer.shtml
“If you don’t like my posts just scroll right pass them, I really don’t care”
Why is this Kenny guy writing for RLSLOG? With the attitude he has shown with the above statement he obviously doesn’t care about readers. I’ve always been impressed with the staff at RLSLOG and the professionalism they show us. But this Kenny guy has the wring attitude.
All hail open source!
What’s the problems with this news? It’s a 0-day release site reporting a 0-day bugfix
That’s right! How dare Kennii report something, that’s… you know… true and everything. Your argument kind of falls apart there doesn’t it? If he was lying sure, but whining about it when it’s true just makes you look like a fanboy bone head. Actually it’s worse than that, it makes you sound like a Mac user.
And it’s pretty funny to see a guy that calls himself “Mr.X” making fun of someone else’s username.
@K “Simple: DON’T USE SUBS”
that is a really stupid comment.. thats the same thing that having a bittorrent client i say ” simple: dont donwload movies” not everybody speaks/knows english/spanish/french/japanese/german etc..
dumb
vlc plays back idx/sub subtitles fine without problems.
lol at people recommended cccp, thats got to be the stupidest thing ever.
kmplayer and GOm are too good over VLC and somehow i get gr8 sound in KMPLAyer and way beetr quality in GOM player over VLC so it really aint worth it so every1 just try GOM Or KMPLAYER right now and i am sure u wont use VLC ever again
WMP + K-Lite for me
Convert the *.idx/*.sub (taking out your own language) and saving it as *.srt (I have posted a “how to…..” many times) you have a plain textfile. Can any of you EXPERTS tell me how you can program and hide a virus in a plain textfile!
“Try this little experiment: play a simple mp3 song in VLC and monitor the cpu usage. Should stay close to zero all the way.”
My vlc does do that. And that’s on a 4 year old PC!
anyone here uses kmplayer ?? its like the best player out there and a damn good vlc alternative..
DAMN I USE THIS.
@ number 33.
Not all people can hear as good as you!
Not all people talk Englaish as well as you -_-
Think before you talk