Two yet-to-be-patched vulnerabilities have been disclosed in VLC media player and can potentially be exploited by attackers to execute arbitrary code.
According to vulnerability research company Secunia, who rates the flaws as highly critical, they affect the third-party libmodplug plugin which is included in VLC.
The vulnerabilities were discovered and disclosed as zero-days complete with proof-of-concept exploit code by a user calling himself epiphant.
"The vulnerabilities are caused due to boundary errors within the 'abc_new_macro()' and 'abc_new_umacro()' functions in src/load_abc.cpp, which can be exploited to cause stack-based buffer overflows by tricking a user into opening specially crafted ABC files," Secunia explains in its advisory.
read more