Critical Flaw Found in Streaming Library Used by Media Players Including VLC
Security researchers from Cisco Talos have released details of a critical code execution vulnerability found in LIVE555 Streaming Media RTSP Server library used by several media players, including popular media player VLC. VLC has been downloaded over one billion times since its launch in 2005.
The security flaw exists in the HTTP packet-parsing functionality of LIVE555 RTSP Server library. In order to carry out an attack, the hacker would have to send a tailored malicious packet to trigger the vulnerability and result in a stack-based buffer overflow, leading to code execution.
The Cisco Talos security research team have confirmed the flaw is live in version 0.92 and stated its possibly present in earlier versions of the media player as well.
LIVE555 media libraries are used by several media players, including VLC and MPlayer, as well as embedded devices capable of streaming media, such as cameras.
Cisco Talos reported the vulnerability to Live Networks on October 10, after discovering and validating the flaw at an earlier date. Live Networks Inc are the developers of a set of open source C++ libraries that are affected if the vulnerability is exploited.
The vulnerability was released to the public on 18 October, following Live Networks releasing of a patch on 17 October. This was a responsible move by Cisco Talos, since the vulnerability could have potentially affected millions of unsuspecting users.