There's a serious glitch in how applications from a variety of vendors process audio FLAC files, opening the door for attackers to hijack vulnerable computer systems, according to eEye Digital Security and the United States Computer Emergency Readiness Team (US-CERT).
FLAC (Free Lossless Audio Codec) is an audio format similar to .mp3 files but lossless, meaning the audio is compressed in FLAC without a loss in quality. The format works in similar fashion to .zip files, though FLAC is designed specifically for audio.
Researchers with Aliso Viejo, Calif.-based eEye discovered 14 flaws in the FLAC library and turned to US-CERT for help in notifying all the affected vendors when it became clear the list was too long for one organization to handle alone, said Andre Protas, eEye's director of research and preview services.
US-CERT said in its advisory that the flaw affects such vendors and programs as America Online, Cog, dBpoweramp, Foobar2000, jetAudio, PhatBox and Yahoo!
Once all the affected vendors were notified, he said, eEye and US-CERT decided to release details of the flaw. According to the eEye advisory, processing a malicious FLAC file within a vulnerable application could result in the execution of arbitrary code at the privileges of the application or the current user, depending on the operating system. The problem is that applications mishandle metadata values from malformed files.
"Attackers could send out a malicious FLAC file by email and once you click it, the attacker can install Trojans and other malware on the machine," Protas said in an interview Tuesday. "Most of the vulnerable vendors don't have the means to fix this within their products, so it's up to the user to apply the updated version."
It turns out that libFLAC 1.2.1 was released in September to address the issue for most vulnerable applications, but many vendors that were using libFLAC within their media applications or using their own homegrown FLAC file parsers had not been informed that their FLAC file parser was vulnerable, Protas said.
Danish vulnerability clearinghouse Secunia said in its SA27210 advisory that the issue is moderately critical and is due to various errors -- integer overflow errors, double-free errors and boundary errors in various components when processing FLAC media files.