Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple FLAC Vulnerabilities Affect Every OS

Posted by kdawson on from the don't-hit-play dept.

Enon writes "eEye Digital Security has discovered 14 vulnerabilities in the FLAC file format that affect a huge range of media players on every supported operating system (Windows, Mac OS, Linux, Unix, BSD, Solaris, and even some hardware players are vulnerable). Heise points out a number of vulnerable apps that use the open source libavcodec audio codec library, which in turn relies on the flawed libFLAC library. These vulnerabilities could allow a person of ill will to trojanize FLAC files that could compromise your computer if they are played on a vulnerable media player. eEye worked with US-CERT to notify vulnerable vendors."

3 of 360 comments (clear)

  1. Sanity checks: by andreyvul · · Score: 5, Insightful

    Perform them.

    --
    proud caffeine whore
  2. Re:But I thought that this didn't happen with FOSS by Locklin · · Score: 5, Insightful

    Not that I like feeding trolls, but wake up, no one here think's FLOSS == perfect security, that's why both my Ubuntu and Fedora machine get software updates on a regular basis. The primary difference between FLOSS and proprietary security is transparency: do you know how many ten year old bugs are sitting in Windows or IE which Microsoft refuses to fix? Unless you work for them, you likely don't have a clue.

    --
    "Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
  3. Re:But I thought that this didn't happen with FOSS by BlueParrot · · Score: 5, Insightful

    So this is really ironic - Its my understating from reading hundreds and hundreds of /. posts that this isn't supposed to happen with FOSS. Only Micro$oft developers are supposed to have security bugs like this.


    You misunderstood. Where FLOSS differs from microsoft is:

    a)This bug was discovered by third parties because they had access to the source
    b)The bug is already fixed
    c)Even on still vulnerable systems it wouldn't give you root access
    d)It would have to rely on special plugins or user action
    e)The problem is clearly described and documented allowing users to take precautions

    Compare this to a vaguely described bug in your rendering engine for animated cursors enabling arbitrary webpages to compromise kernel space, and this not being fixed for days or even weeks despite documented exploits in the wild.

    Somehow I don't see the irony.