MPlayer, VLC Media Player Hit By Critical Vulnerability

A critical remote code execution vulnerability has been spotted in the LIVE555 media streaming library used by popular media players such as VLC and MPlayer. "Maintained by the company Live Networks, the library works with RTP / RTCP, RTSP or SIP protocols, with the ability to process video and audio formats such as MPEG, H.265, H.264, H.263 +, VP8, DV, JPEG, MPEG, AAC, AMR, AC-3, and Vorbis," reports Hackread. From the report: These findings (CVE-2018-4013) have left millions of users of media players vulnerable to cyber attacks, according to Lilith Wyatt, a researcher at the Cisco Talos Intelligence Group. In this case, the flaw lies in the HTTP packet parsing functionality, which analyzes HTTP headers for RTSP tunneling over HTTP, explains. An update has already been issued to address the vulnerability. Therefore, if you are using any of the vulnerable media players make sure they are updated to the latest version.

What is the updated version?

[Registered+Coward+v2]

It would be helpful if articles such as this listed what VLC versions (or other software) have addressed this flaw, rather than just say have the latest updated. From the article the assumption is if you have the Win/OS X/Linux updated to the latest version you are not vulnerable.

Re:No, it doesn't affect *any* media player

Wish I'd seen this *before* I caved in to everyone's panic and updated VLC, only to instantly discover that least one feature I constantly use was now totally broken. Thankfully the old versions were still available on the website.

THIS IS WHY I NEVER UPDATE SHIT

RTFA

[notb666]

According to an email from Ross Finlayson of Live Networks, Inc., the vulnerability “does not affect VLC or MPlayer, because they use LIVE555 only to implement an RTSP. The bug affected only our implementation of a RTSP, which these media players don’t use. (VLC does have an embedded RTSP server, but that uses a separate implementation, not LIVE555’s.)”