Mpg123 has a vulnerability that could allow code on a malicious server to take over the system

A vulnerability found in open source MPEG audio player mpg123 received a "highly critical" rating on Tuesday from security information provider Secunia.

The software vulnerability may lead to an exploit in which a specially crafted MP2 or MP3 file could cause a memory problem called a "buffer overflow" that could allow an attacker to run malicious code.

"Mpg123 allows users to listen to music and receive data streams from a server. But if they listen to music from a malicious server, then it could compromise their own system," said Thomas Kristensen, Secunia chief technology officer. "The owner of the malicious server would be able to do actions like the user on their own system."

Those actions could include taking control of a user's applications to send email -- perhaps aiding in identity theft or the spread of viruses -- or alter files. However, Kristensen said the vulnerability may be difficult to exploit.

A buffer overrun attack injects more data into a particular memory location than a program can accommodate, and by carefully crafting the data that overflows into other parts of memory, attackers can run programs to take over the computer. However, it can be difficult to craft that attack data.

Nonetheless, Secunia has given the vulnerability a "highly critical" rating because of the relative ease in enticing users to receive free streaming media.

Secunia advises people to use another product until a patch is available for mpg123's latest vulnerability.

Other vulnerabilities have been found in the open source media player in the past two years, which is used by Linux and Unix systems.

The most recent vulnerability was published on Monday by the Gentoo Foundation, a Linux programming and development project.

Copyright © 1995-2009 CNET Networks, Inc. All rights reserved
ZDNET is a registered service mark of CNET Networks, Inc. ZDNET Logo is a service mark of CNET Networks, Inc.