According to an advisory from security services provider Secunia, the VLC Media Player is at risk from multiple vulnerabilities in the Libmodplug library, which it rates as "highly critical". First reported by a user with the pseudonym of "epiphant", Libmodplug, also known as the ModPlug XMMS Plugin, is said to be prone to stack-based buffer overflows caused by "boundary errors within the 'abc_new_macro()' and 'abc_new_umacro()' functions in src/load_abc.cpp".

This could be exploited by an attacker to execute arbitrary code on a victim's system. For an attack to be successful, a user must first open a specially crafted malicious media file. Secunia notes that this may, however, only affect precompiled versions of VLC.

The vulnerabilities have been confirmed to affect the latest 1.1.9 release of VLC for Windows. Other versions may also be affected. Until a patch or update has been released to fix the bug, users are advised not to open untrusted files.

See also:

VLC Media Player 1.1.9 closes security holes, a report from The H.

(crve)