Today I like to address a mysterious security issue within VLC Player 2.1.5. This popular media player seems to have two security flaw in memory management, that can be used to execute any code.
The issue was reveled by German news site heise.de. Security researcher Veysel Hatas has discovered in November 2014 two critical vulnerabilities in VLC player 2.15. VLC Media Player 2.1.5 Memory Corruption Vulnerabilities (CVE-2014-9597, CVE-2014-9597) are documented here. One vulnerability may allow an attacker to corrupt memory and potentially execute arbitrary code via a modified FLV or MPEG-V2 video file.
Veysel Hatas was able, to reproduce this issue with prepared Flash- and MPEG-V2 video files under Windows XP SP3 (it should also work in Windows 7 SP1). He has informed VLC developers in December 2014 about this issue. But vlc developers has already closed the vlc player ticket (it seems, that the ticket is now reopened), because the vulnerability is located in FFMpeg library Libavcodec. But FFMpeg bugtracker doesn’t contain a ticket for such an issue. VLC developers has announced, that the next version of VLC player 2.2.0 will fix this vulnerability.