Patch/Configuration Management, Vulnerability Management

Month of Apple Bugs day two: a VLC media player flaw

For the second exposed flaw in their Month of Apple Bugs (MoAB) project, researchers Kevin Finisterre and LMH have again reported a media player flaw, but this time in a lesser known application than QuickTime.

The pair disclosed a flaw in the VLC media player that can be exploited by attackers to take control of an affected system, according to an advisory released today on the MOAB site.

LMH, the online alias used by the hacker also behind the Month of Kernel Bugs campaign last November, told in an email last month that the MoAB project is aimed at attracting improved security collaboration to the Mac platform. The duo exposed a flaw in Apple's QuickTime 7 on Tuesday.

Critics - including McAfee's chief security architect - have told that MoAB is not fair to either Apple or its customers.

The vulnerability exists in version 0.8.6 of VLC media player, an open-source product made by VideoLAN, and affects both Mac OS X and Windows users, according to an advisory released today by flaw-monitoring firm Secunia.

The Danish vulnerability clearinghouse ranked the flaw as "highly critical."

The bug is caused by a format string error when handling udp:// URIs, according to the advisory. It can be exploited by a specially crafted website or through a malicious M3U file.

VeriSign iDefense, however, rated today's flaw as only "low severity," because of the media player's low market share, Frederick Doyle, senior intelligence analyst, told today.

"Despite (the proof-of-concept code), iDefense has scored this vulnerability as low severity due to the limited popularity of the vulnerable software," he said.

MoAB released the first of 31 expected flaws on Tuesday - a flaw in QuickTime 7 that could lead to a compromised system. Secunia rated that bug "highly critical" and said in an advisory that the flaw affects users on Mac and Windows.

Click here to email Online Editor Frank Washkuch Jr.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.