Libavcodec Bug Threatens Windows XP VLC Users

vlc

Watch out Windows XP diehards: if you run the open source media player VLC you may be vulnerable to malicious attacks. A bug discovered in November affecting VLC was recently made public on Full Disclosure, a security-focused mailing list.

The reported bug (dubbed CVE-2014-9597) allows a specially crafted video file with the FLV file extension opened in VLC 2.1.5 to corrupt memory. This could then allow the attacker to execute any code they want on the target machine. The vulnerability was tested on Windows XP SP3.

Why this matters: A bug that affects Windows XP may not be much of a worry for most users as XP’s user base has been slowly declining. But there are still some diehards holding on to the OS—around 18 percent of PC users worldwide run XP, according to Net Market Share. 

Not VLC

While the bug apparently affects VLC users, it doesn’t appear to be an issue with VLC itself. Instead, the bug is caused by libavcodec, Jean-Baptiste Kempf, president of VideoLAN, the non-profit behind VLC, confirmed to PCWorld. Libavcodec is a third-party code library for encoding and decoding video and audio, maintained by FFmpeg.  Kempf also said that he was unable to replicate the bug on Windows.

Whether or not the bug is a serious concern for users, the threat may not be long lived anyway. Kempf says the second release candidate for VLC version 2.2.0 fixes the issue. Concerned XP users can download and try out the release candidate from VideoLan.

[via Threatpost]

This article was updated on January 20 at 8:08 AM Pacific to clarify that VLC 2.2.0 will run on Windows XP.

This story, "Libavcodec Bug Threatens Windows XP VLC Users" was originally published by PCWorld.

To comment on this article and other CIO content, visit us on Facebook, LinkedIn or Twitter.
Download the CIO Nov/Dec 2016 Digital Magazine
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.