MoAB #2: VLC Media Player udp:// Format String Vulnerability

The “Month of Apple Bugs” (MoAB) continues:

LMH writes, “The following description of the software is provided by vendor (VideoLAN):”

VideoLAN is a software project, which produces free software for video, released under the GNU General Public License. The main product is the cross-platform VLC media player. The VLC media player is a highly portable multimedia player for various audio and video formats (MPEG1, MPEG2, MPEG4, DivX, mp3, ogg, …) as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.

LMH writes, “A format string vulnerability exists in the handling of the udp:// URL handler. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC.”

LMH writes, “This issue has been successfully exploited in VLC version 0.8.6 for Mac OS X. Previous versions and other platforms might be affected (thanks to David Maynor for confirming the issue in the Microsoft Windows version).”

Full article here.

VideoLAN plans an update to VLC soon: “Updated binaries for Windows and MacOS X are not available yet. The VideoLAN project apologizes for any user inconvenience; as a volunteer activity, we cannot keep up with a zero-day security vulnerability disclosure.” More info: http://www.videolan.org/sa0701.html
Already — on just the second day of his irresponsible odyssey — LMH* is forced to try to make a bug in VideoLAN’s VLC qualify as an “Apple bug.” Fool.

We have no problem with people identifying “bugs,” if they report them to Apple first so that they can be fixed. To simply post “bugs” online for everyone, including Apple (and, in this case, VideoLAN) to find out about simultaneously is irresponsible, contemptible, and smacks of a desperate cry for attention/FUD campaign.

Doing it the right way means finding the issue, reporting it to Apple, and a fix being issued with a credit/thank you from Apple.

Doing it LMH’s way means finding the “bug,” posting it online, jeopardizing users, getting his name in articles, generating a bunch of sensationalist and incorrect Apple Mac security articles, and a fix being issued from Apple (or, in this case, VideoLAN).

So, on Day #2, with only one Apple “bug” revealed so far, LMH’s batting average has already been sliced in half. How long until he strikes out? Or do you think he’s out already after today’s caught foul tip?

*Just guessing: Loser Most Hated?

Related MacDailyNews articles:
MoAB #1: Apple Quicktime RTSP URL Handling Buffer Overflow Vulnerability – January 02, 2007
Starting January 1st: “Month of Apple Bugs” – December 19, 2006

57 Comments

  1. How many people actually ise this software? I’ve never heard of it. Yikes! Desperate or what?

    Isn’t he already a day behind? This is January 3 and he’s only listed two purported bugs, one of which isn’t even an Apple problem.

    LOL

  2. iScott,

    You’re not serious are you?! MDN is supposed to ignore something called “Month of Apple Bugs?” What are you, four-years-old?

    You people who randomly call for MDN to ignore this or that person or story (examples: Enderle, Dvorak, etc.), thinking that “it’ll just go away,” are, at best, naive.

    You don’t ignore something hoping it’ll just go away. For an extreme example, see: Adolf Hitler.

    You shine a bright light on something and let people see it, so they know that others know something’s wrong with it, too.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.