Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

  1. #11
    Join Date
    Apr 2008
    Location
    LOCATION=/dev/random
    Beans
    5,767
    Distro
    Ubuntu Development Release

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    If you read the security advisory properly then you can see how small of an issue this is.

    An attacker would have to trick you into opening a specially crafted PNG image with VLC. Even if this happens they will only succeed in crashing VLC, they can't do anything else or gain access to your system.

    As others have said these sort of vunerabilities are common, there is no point worrying yourself about them.
    Last edited by Cheesemill; December 1st, 2012 at 10:07 PM.
    Cheesemill

  2. #12
    Join Date
    Jun 2011
    Beans
    342

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Indeed, it seems highly unlikely this bug will actually affect end users. Which raises the question why the VLC developers posted the strongly worded warning on their blog. This looks like a niche annoyance which may cause a crash, not an exploit. I wouldn't be in a rush to upgrade.

  3. #13
    Join Date
    Jan 2012
    Beans
    753

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    From http://www.videolan.org/security/sa1203.html:

    Because the overflow occurs while reading a buffer, rather than writing, it is believed that this issue cannot lead to arbitrary code execution.

  4. #14
    Join Date
    Nov 2012
    Beans
    23

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Quote Originally Posted by haqking View Post
    I am running 2.0.5
    I thought I had him beat. I'm running 2.0.4 and I'm using Xubuntu, but I'm not sure that should make a difference.

  5. #15
    Join Date
    Oct 2012
    Beans
    14

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Thanks guys. I'm new to ubuntu and don't know these things about it.

    But a bug that causes a program to crash is bad news because a remote code execution is very possible from this response of the program. That is why VLC worded it so strongly.

    App Armor sounds good. I wish the ubuntu developers would release a profile for it because it is too hard for me to configure right. I wish VLC was something the developers put some attention to because it works so much better than the Totem player.

  6. #16
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Quote Originally Posted by Hungry Man View Post
    VLC, like many programs, takes in input. Just as PDF readers can take in malformed PDFs and be exploited, so can a media player.

    I would highly suggest setting up AppArmor for situations like this - I think I have one if anyone would like it, but it's one of my 'messing around' profiles, so it's not perfect.

    You're unlikely to run into:
    1) this exploit in the wild
    2) a payload that runs on Linux

    but if you'd like to be safe it's not hard.
    Just a note; comparing this to malicious PDF files isn't a valid comparison – PDFs contain executable JavaScript code in them, whereas media files (excluding the ones made by Microsoft) do not. It is considerably harder to infect something with a bunch of media files than it is with a PDF (why is the Adobe PDF plugin the most exploited on the Internet after all?).
    Read my technology blog at: http://penguincampaigner.wordpress.com

  7. #17
    Join Date
    Dec 2006
    Beans
    6,935

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Quote Originally Posted by haqking View Post
    I am running 2.0.5
    Running 2.1.0 here:

    Code:
    andrew@corinth:~$ vlc --version | head -n 1
    VLC media player 2.1.0-git Rincewind (revision 8fec577)
    VLC version 2.1.0-git Rincewind (8fec577
    You think that's air you're breathing now?

  8. #18
    Join Date
    Mar 2011
    Beans
    669

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Just a note; comparing this to malicious PDF files isn't a valid comparison – PDFs contain executable JavaScript code in them, whereas media files (excluding the ones made by Microsoft) do not. It is considerably harder to infect something with a bunch of media files than it is with a PDF (why is the Adobe PDF plugin the most exploited on the Internet after all?).
    It's not really much harder. PDF is a poor example because the format is fairly dangerous in itself, but Javascript doesn't play into it. It's all about providing information to a program that the program can't handle. Big complex data types like PDF, DOC, or MOV are all going to let attackers fill them with tons of data - great for exploiting the complex backend systems.

    Why is Adobe Reader so exploited? Well, it isn't very much anymore to the same extent, but that's due to its popularity. It's installed on tons of machines and, as I said, there are a few inherently dangerous areas of PDFs.

    But I'd say infecting VLC is just as easy as Word, and there have been Word exploits in the wild before.

  9. #19
    Join Date
    Dec 2011
    Location
    Manchester, UK
    Beans
    356
    Distro
    Ubuntu

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Quote Originally Posted by Hungry Man View Post
    It's not really much harder. PDF is a poor example because the format is fairly dangerous in itself, but Javascript doesn't play into it. It's all about providing information to a program that the program can't handle. Big complex data types like PDF, DOC, or MOV are all going to let attackers fill them with tons of data - great for exploiting the complex backend systems.

    Why is Adobe Reader so exploited? Well, it isn't very much anymore to the same extent, but that's due to its popularity. It's installed on tons of machines and, as I said, there are a few inherently dangerous areas of PDFs.

    But I'd say infecting VLC is just as easy as Word, and there have been Word exploits in the wild before.
    PDF is definitely a very poor format in this regard. But to your point of installed base – here is something to consider; the adobe flash plugin, widely known for being terrible at security, is actually less exploited than Reader. And that is installed on even more machines.

    Your point about the size and complexity of formats is interesting. While that's certainly true theoretically, in practise it is much easier to infect DOCs, PDFs etc. At the end of the day, WebM files don't run ActiveX or JavaScript on the machine, so you're much safer.

    Just look at the facts. How many media players get infected? Not very many. Hardly any in fact. You could say, “well, installed user base blah blah blah” but if you think about it, most people use only a few media players – WMP, VLC, Quicktime and not much else. That's certainly a large installed user base! In fact, it's the same amount of major PDF viewers available... (Adobe Reader, Evince and Okular, oh and Preview)

    Huh. That's actually more PDF viewers than media players in popular use. That's not even considering browser viewers like Chrome's...

    With regards to MS Word documents, LO is used by a significant number of users, yet it doesn't get infected much at all. Why? No executable rabble thrown into a static file.
    Read my technology blog at: http://penguincampaigner.wordpress.com

  10. #20
    Join Date
    Mar 2011
    Beans
    669

    Re: VLC 2.0.3 (ubuntu latest version) has serious security vulnerability

    Flash is exploited less than Reader because of the sandbox. Just as Reader 11 has only been exploited once in the wild so far, due to its sandbox. The Flash sandbox is probably a lot stronger.

    JavaScript doesn't really play into it. The Reader exploit that bypasses the sandbox doesn't use JavaScript. JavaScript is a nice way to break out of the sandbox because there's a renderer that'll have to do things like eval() and it's directly dealing with attacker controlled data. But the entire PDF has to be rendered and the entire PDF is attacker controlled data, so they can do it with or without JavaScript.

    Just look at the facts. How many media players get infected? Not very many. Hardly any in fact. You could say, “well, installed user base blah blah blah” but if you think about it, most people use only a few media players – WMP, VLC, Quicktime and not much else. That's certainly a large installed user base! In fact, it's the same amount of major PDF viewers available... (Adobe Reader, Evince and Okular, oh and Preview)
    The user base for video players is far more split up than the user base for PDF readers. Reader has by far a larger userbase than VLC, and that really is the big difference here.

    There are a million video players and a million PDF readers, what's important is which ones hold top market share and how much that is and how much effort it takes to infect it.

    If VLC were very popular we'd see attacks on it.

    LO as in LibreOffice? It's not used by a significant number of users.

    Millions of people don't matter. Attackers like easy targets that 90% of the population will run. anything difficult to attack or anything with 30% of the population doesn't matter.

    There are loads of terribly insecure programs that could be exploited but they're just not popular enough to warrant the attention.

    In the case of VLC it's not terribly insecure, I haven't really thought about how practical infecting it is (though, again, it's a matter of running VLC content on a page for remote exploits or telling a user to run the local file) but I don't see it as any less practical than infecting MS Word, Libre Office, or anything else.

Page 2 of 2 FirstFirst 12

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •