VUPlayer fails to properly handle malformed playlists. This vulnerability may allow a remote attacker to execute arbitrary code.
VUPlayer is a freeware audio player for the Microsoft Windows platform. It can play various types of media files, such as MP3s. A Playlist (.PLS or .M3U) file is a text file that contains links to other media files to play. VUPlayer supports the use of playlist files.
VUPlayer fails to properly handle malformed playlists allowing a stack-based buffer overflow to occur.
A remote unauthenticated attacker may be able to execute arbitrary code by convincing a user to open a specially crafted playlist. This can be achieved by creating a specially crafted web page or other HTML document that may launch VUPlayer without any user interaction.
We are unaware of a solution to this problem. Until a solution becomes available the following workarounds are strongly encouraged:
Do not open playlist files from untrusted sources
This vulnerability was reported by Greg Linares.
This document was written by Jeff Gennari.
|Date First Published:||2007-09-06|
|Date Last Updated:||2007-09-06 21:51 UTC|