A Turkish security expert found two zero-day vulnerabilities in library code used by the popular VLC media player around Christmas and is amazed they still have not been fixed.
Veysel Hatas found the data execution prevention (CVE-2014-9597) and write access (CVE-2014-9598) violation vulnerabilities in VLC and warned the outfit it could lead to arbitrary code execution.
“VLC Media Player contains a flaw that is triggered as user-supplied input is not properly sanitised when handling a specially crafted FLV” or M2V file”, Hatas wrote in his blog
“This may allow a context-dependent attacker to corrupt memory and potentially execute arbitrary code.”
Despite the fact that the flaw was discovered on Boxing day and VLC was about to release a new stable version on January 9, the flaw was never fixed.
The flaws lie within libavcodec, a core component of the video player and VLC is not the only one to use the library. MPlayer and other open-source software also use it.
It has been estimated that there are more than 1.5 billion downloads of the open saucy VLC thanks mostly to the fact it will play anything – including viruses apparently.