The IT security researcher at Cisco Talos Intelligence Group has discovered a critical remote code execution vulnerability in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer.
Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis.
These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains
“A specially crafted packet can cause a stack-based buffer overflow, resulting in code execution. An attacker can send a packet to trigger this vulnerability,” Wyatt explained in her blog post.
An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.
This, however, is not the first time when popular media player like VLC is making headlines for the wrong reasons Previously, a security researcher had identified critical security flaws in 2.0.5 and earlier versions that could have been exploited by attackers to execute malicious code on computers via ASF files.
Last year, CheckPoint security researchers identified a vulnerability in Kodi, VLC and Popcorn Time media players that would let hackers hijack a targeted system through subtitles. Furthermore, Vault 7 related documents leaked by WikiLeaks showed how the CIA used fake VLC players to steal data from an infected device.
The document further revealed that CIA agents used a tool to exploit a modified old version of VLC media player. The described tool gathered documents from a computer or network and, to hide its activity, runs inside VLC Portable 2.1.5 on Microsoft Windows platforms.