MP3 Backend of Firefox and Thunderbird Found Vulnerable

jones_supa writes A critical vulnerability has been found in the MPEG-1 Layer III playback backend of Mozilla Firefox and Thunderbird. Security researcher Aki Helin reported a use-after-free scenario when playing certain audio files on the web using the Fluendo MP3 plugin for GStreamer on Linux. This is due to a flaw in handling certain MP3 files by the plugin and its interaction with Mozilla code. A maliciously crafted MP3 file can lead to a potentially exploitable crash. Linux is the only affected platform, so Windows and OS X users are safe from this particular vulnerability.

Royalty-free codecs help here

This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus audio and NetVC video become ubiquitous sooner rather than later.

Re:Royalty-free codecs help here

[gnasher719]

This is why it's important to have royalty-free codecs for the web that everyone is free to implement. You can choose to do your own implementation of a given codec and take direct responsibility for the security of the implementation, or ship your preferred choice of third-party implementation directly integrated with your product without any patent licensing hassle. I just hope Opus [opus-codec.org] audio and NetVC [tomshardware.com] video become ubiquitous sooner rather than later.

Lame, lame, lame. This is a bug. The same bug could happen with any codec. And as proven by OpenSSL, just because people _can_ look at code and find bugs, that doesn't mean they _do_ look at the code and find bugs.