A vulnerability has been found in popular open-source MPEG audio player mpg123, which receiving a "highly critical" rating Tuesday from security information provider Secunia.
The software vulnerability stems from an error in the parsing of frame headers for layer-2 audio streams. That may lead to an exploit in which a specially crafted MP2 or MP3 file could cause a buffer overflow and allow an attacker to run malicious code.
"Mpg123 allows users to listen to music and receive data streams from a server. But if they listen to music from a malicious server, then it could compromise their own system," said Thomas Kristensen, Secunia chief technology officer. "The owner of the malicious server would be able to do actions like the user on their own system."
Those actions could include taking control of a user's applications to send e-mail--perhaps aiding in identity theft or the spread of viruses--or alter files. However, Kristensen said the vulnerability may be difficult to exploit.
A buffer overrun attack injects more data into a particular memory location than a program can accommodate, and by carefully crafting the data that overflows into other parts of memory, attackers can run programs to take over the computer. However, it can be difficult to craft that attack data.
Nonetheless, Secunia has given the vulnerability a "highly critical" rating because of the relative ease in enticing users to receive free streaming media.
Secunia advises users to use another product until a patch is available for mpg123's latest vulnerability.
Other vulnerabilities have been found in the open-source media player in the past two years, which is used by Linux and Unix systems.
The most recent vulnerability was published Monday by the Gentoo Foundation, a Linux programming and development project.
Reply With Quote