"VLC Player Vulnerable to Remote Hijack"

[amade]

Hmmm ... little confused here. If you are behind a router with firewall and you have a decent AV and you have a software firewall and some other crap that keeps track of things that happen on your box. How can someone come into your PC and execute some kind of code???

Doesn't this implies someone has ta have the possibility to get into your PC first to execute the code???

Maybe the above VLC vulnerability is effective only for PCs without firewall, etc? With firewall working, the attack can be filtered out, I believe.

[akenat0n]

Actually I think they have to give you the file (the subtitle) and you have to run it before they can have control. However it wouldn't work out if you block incoming or outgoing VLC connections.

And 0.8.6e fixed the other bug, so don't worry.

[Jdsnut]

VLC Player Vulnerable to Remote Hijack

Posted on 19.03.2008 at 02:13 in Tech News by Kennii
VLC Player, one of the best and most widely used media players has found to be vulnerable to a remote hijack. The reported vulnerability makes it possible for a malicious user to run arbitrary code, potentially taking remote control of the host machine.
VLC is a popular media player among BitTorrent users. Not just for the fact that it is free, also because it includes a huge number of the video codecs, so it can play virtually every video file available. Unfortunately, the latest versions of VLC have a security flaw according to a report from Luigi Auriemma. The vulnerability can be exploited to compromise a user’s system, as it leaves it wide open for a malicious user to run arbitrary code.
The problem occurs when a someone loads a subtitle file, which causes a buffer overflow that can be exploited. The security flaw is platform independent, which means it affects Windows, Mac and Linux users.
Initially it was reported that the flaws in version 0.8.6d were fixed in the latest release, but this turns out not to be the case. Auriemma writes: “The old buffer-overflow in the subtitles handled by VLC has not been fully patched in version 0.8.6e.”
“The funny thing is that my old proof-of-concept was built just to test this specific buffer-overflow and in fact it works on the new VLC version too without modifications,” he adds.
For now, the only solutions are not to run any subtitle files, or to grab one of the nightly builds. The downside is, however, that these might not be as stable as the regular releases.

Thats what I just posted.?

[DasFox]

0.8.6e user here!

[esco123]

vlc is a great software, and i neva will remove it.