Sign in / up

back to article Stuff like sophisticated government spyware is scary and all – but don't forget, a single .wmv file can pwn you via VLC

VideoLAN has issued an update to address a baker's dozen of CVE-listed security vulnerabilities in its widely used VLC player software. The VLC update includes patches to clear up flaws that range in impact from denial of service (read: application crashes) to remote code execution (i.e. malware installation). Users and admins …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Lee D Silver badge

    "This vulnerability could be triggered by inserting specially crafted headers which are not correctly counted by the xiph_CountHeadersfunction. As a result, the total number of bytes that could be written is larger than expected, overflowing previously allocated buffers," Semmle notes in its disclosure.

    "As a result, the total number of bytes that could be written is larger than expected, overflowing previously allocated buffers. In this case, the vulnerability risk is also increased due to the large amount of bytes that can be overwritten, and the possibility that it can also be turned into an OOB read."

    It's worse than we thought! I think that quote overflowed into the next paragraph!

    26 0 Reply
    1. STOP_FORTH Silver badge
      Reply Icon

      Glitch in The Matrix!

      1 0 Reply
    2. SVV
      Reply Icon

      I think that quote overflowed into the next paragraph! It's happening in the comments too!

      4 0 Reply
  2. A Non e-mouse Silver badge

    Obligatory XKCD

    xkcd.com/538/

    1 7 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Obligatory XKCD

      Obligatory or completely off-topic?

      If the suggestion is that VLC would never be used as a vector to get malware onto a users device, then I guess we just have different expectations of the trust levels involved in the origin of content that users might play in VLC.

      1 0 Reply
  3. Stuart Halliday

    Overflow problems in this day and age?

    We've known about these issues for decades. Why are programmers still doing this?

    3 0 Reply
    1. Anonymous Coward
      Reply Icon
      Gimp

      We've known about these issues for decades. Why are programmers still doing this?

      Learn C and then come back. In the mean time, wind it in.

      9 3 Reply
    2. Luke McCarthy
      Reply Icon

      Lots of old C and C++ code, especially in video codec, that is difficult to write and re-write. Who is going to re-write hundreds of legacy codecs in Rust? And who is going to pay them to do it? (Nobody)

      8 0 Reply
    3. Paul Crawford Silver badge
      Reply Icon

      Also they should be using sandboxing stuff (like an Apparmor profile that is on by default) so when the inevitable bugs come along their ability to play havoc with your system are greatly reduced.

      0 0 Reply
  4. e^iπ+1=0

    Cross platform?

    Or?

    0 0 Reply
    1. phuzz Silver badge
      Reply Icon

      Re: Cross platform?

      Single platform, obv.

      0 0 Reply
  5. Anonymous Coward
    Anonymous Coward

    a specially-crafted .MP4 file

    I have noticed a large uptick in the use of .MP4 for advertising and also for browser fingerprinting.

    Kill it with fire I say.

    (Sent from my Pi Hole VM)

    0 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: a specially-crafted .MP4 file

      (Sent from my Pi Hole VM)

      Because using your Pi Hole to browse the web from is really sensible

      1 0 Reply
  6. Anonymous Coward
    Anonymous Coward

    vlc, like web browsers, should run as a nobody user with no access to the local filesystem, and have any files they want to play streamed through a socket to them.

    0 0 Reply
  7. Potemkine! Silver badge

    Did we really need another reason to avoid wmv files?

    0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like