Zero-Day FFmpeg Vulnerability Lets Anyone Steal Files from Remote Machines

Exterminator

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
Content source
http://news.softpedia.com/news/zero-day-ffmpeg-vulnerability-lets-anyone-steal-files-from-remote-machines-498880.shtml
A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is currently used in numerous Linux kernel-based operating systems and software applications, also for the Mac OS X and Windows platforms, was unveiled recently.

The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev in the current stable builds of the FFmpeg software, and it would appear that it allows anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.

The vulnerability is limited to reading local files and sending them over the network, not to remote code execution, but it's enough to do some damage. The FFmpeg developers are aware of the issue, and they are trying to patch it as we speak. James Darnley of FFmpeg suggests that disabling HLS (HTTP Live Streaming) while building the package should do the trick until a fix is committed.

"ffmpeg has a vulnerability in the current version that allows the attacker to create a specially crafted video file, downloading which will send files from a user PC to a remote attacker server. The attack does not even require the user to open that file - for example, KDE Dolphin thumbnail generation is enough. Desktop search indexers (i.e. baloo) could be affected. ffprobe is affected, basically all operations with file that involve ffmpeg reading it are affected," reads an Arch Linux bug report submitted today.

Already patched in Arch Linux
We've been informed earlier today, January 13, 2016, that Arch Linux developers have already patched the FFmpeg 2.8.4 packages in the operating system by rebuilding them without the AppleHTTP and HLS demuxers. Therefore, all Arch Linux users are urged to update their FFmpeg packages to version 2.8.4-3. It is also possible to fix the issue by rebuilding the FFmpeg packages without network support, using the --disable-network configure flag, but that seems a bit too much.

We will update the article later today or tomorrow, when the FFmpeg team releases a patch or a new version of the software. Other GNU/Linux distributions should also rebuild the FFmpeg packages available in the default software repositories using the method explained above. All operating systems that use FFmeg 2.8.4 or previous versions are affected.
Click to expand...
 
  • Like
Reactions: frogboy, Rishi, harlan4096 and 3 others
You must log in or register to reply here.

Similar threads

CyberTech
    • Like
    • +Reputation
Critical WebP bug: many apps, not just browsers, under threat
Replies
1
Views
1,541
News Archive
Andy Ful
Andy Ful
Bot
Security News Fortra Patches Critical RCE Vulnerability in FileCatalyst Transfer Tool
Replies
0
Views
456
Security News
Bot
Bot
[correlate]
    • Like
    • +Reputation
Atlas VPN zero-day vulnerability leaks users' real IP address
Replies
0
Views
1,104
News Archive
[correlate]
[correlate]

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top