Hi, To Nguyen Nam : You can see details in http://sourceforge.net/forum/forum.php?forum_id=597807
Besides, K-lite Codec Pack that contains the fixed version of ffdshow have been released today (11-26-2008). Thanks, SVRT-Bkis ---------------------------------------------------------------- Bach Khoa Internetwork Security Center (BKIS) Hanoi University of Technology (Vietnam) Email : [EMAIL PROTECTED] Website : www.bkav.com.vn WebBlog : security.bkis.vn Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg ---------------------------------------------------------------- ----- Original Message ----- From: "Nam Nguyen" <[EMAIL PROTECTED]> To: "svrt" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]>; <full-disclosure@lists.grok.org.uk> Sent: Tuesday, November 25, 2008 9:41 AM Subject: Re: [SVRT-05-08] Critical BoF vulnerability found in ffdshow affecting all internet browsers (SVRT-Bkis) > The report is for ffdshow, but the referred URL is to ffdshow-tryout. I > wonder if they are the same. > > Cheers > Nam > > On Mon, 24 Nov 2008 15:17:05 +0700 > "svrt" <[EMAIL PROTECTED]> wrote: > >> 1. General Information >> >> ffdshow is a DirectShow filter and VFW codec for many audio and video >> formats, such as DivX, Xvid and H.264. It is the most popular audio and >> video decoder on Windows. Besides a stand-alone setup package, ffdshow is >> often included in almost all codec pack software such as K-lite Codec > Pack, >> XP Codec Pack, Vista Codec Package, Codec Pack All in one,. >> >> In Oct 2008, SVRT-Bkis has detected a serious buffer overflow > vulnerability >> in ffdshow which affects all available internet browsers. Taking >> advantage > >> of the flaw, hackers can perform remote attack, inject viruses, steal >> sensitive information and even take control of the victim's system. >> >> Since ffdshow is an open source software (can be found at >> http://sourceforge.net/projects/ffdshow-tryout), we have contacted the >> developing team and they have patched the vulnerability in the latest >> version of ffdshow. >> >> Details : http://security.bkis.vn/?p=277 >> SVRT Advisory : SVRT-05-08 >> Initial vendor notification : 13-11-2008 >> Release Date : 24-11-2008 >> Update Date : 24-11-2008 >> Discovered by : SVRT-Bkis >> Security Rating : Critical >> Impact Remote : Code Execution >> Affected Software : ffdshow (< rev2347 20081123) >> >> 2. Technique Description >> >> The flaw occurs when ffdshow works with a media stream (e.g. >> http://[website]/test.avi). On parsing an overly long link, ffdshow would >> encounter a buffer overflow error as the memory is not allocated and >> controlled well. >> >> ffdshow is in fact a codec component for decoding multimedia formats so >> it > >> must be used via some media player; the default program is Windows Media >> Player (wmp). Due to this reason, all internet browsers that support wmp >> plug-in are influenced by this vulnerability, such as Internet Explorer, >> Firefox, Opera, Chrome... >> >> In order to exploit, hackers trick users into visiting a website > containing >> malicious code. If successful, malicious code would be executed without > any >> users' further interaction. Hackers can then take complete control of the >> system. >> >> 3. Solution >> >> As for the seriousness of the vulnerability, it has been patched in the >> latest version of ffdshow by the developing team of the software. Bkis >> Internetwork Security Center highly recommends that users should update >> ffdshow to the latest version here: >> > http://sourceforge.net/project/showfiles.php?group_id=173941&package_id=199416&release_id=439904 >> >> At the moment, there are a lot of software packages packing ffdshow that >> haven't been updated. On account of this, users should also update the >> ffdshow latest versions: >> - K-Lite Codec Pack (lastest version). >> - XP Codec Pack (lastest version). >> - Vista Codec Package (lastest version). >> - Codec Pack All in one (lastest version). >> - Storm Codec Pack (lastest version). >> - And many other software Codec packages using ffdshow. >> >> In addition, software producers that make use of ffdshow in their >> products > >> should also update these products with the latest version of ffdshow. >> >> 4. Credits >> Thanks Nguyen Anh Tai for working with SVRT-Bkis. >> >> ---------------------------------------------------------------- >> Bach Khoa Internetwork Security Center (BKIS) >> Hanoi University of Technology (Vietnam) >> >> Email : [EMAIL PROTECTED] >> Website : www.bkav.com.vn >> WebBlog : security.bkis.vn >> Our PGP : http://security.bkis.vn/policy/pgp/SVRT-Bkis.gpg >> ---------------------------------------------------------------- >> >> >> >> > > > -- > Nam > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/