Researchers at Secunia have found a "highly critical" vulnerability that puts users of the cross-platform VLC Media Player at risk of remote code execution attacks. The vulnerability is confirmed in version 0.8.6h on Windows. Prior versions may also be affected. A patch is expected soon from the VLC team. According to statistics from VLC, the download count for the open-source media player exceeds 89 million. From the Secunia advisory: The vulnerability is caused due to an integer overflow error within the "Open()" function in modules/demux/wav.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted WAV file having an overly large "fmt" chunk. Successful exploitation may allow execution of arbitrary code. Secunia recommends that VLC... ...
Anytime
