Ryan Naraine

Exploit code for an unpatched vulnerability in the widely distributed Viewpoint Media Player has been posted on the Internet, putting millions of Internet Explorer users at risk of code execution attacks.

The exploit, available at Milw0rm.com, takes advantage of a stack-based buffer overflow in the Viewpoint browser plug-in that sits on millions of computers thanks to bundling deals with AOL, AIM, Netscape and Adobe.

The player serves as the graphics engine for AOL Instant Greetings, AIM Themes and other popular web applications and is also used to power product tours for the Toyota 4Runner and Sony laptop, desktop, and server computing products.

According to “Shinnai,” the hacker who discovered the flaw, the exploit was tested on a fully-patched Windows XP Professional SP2 with Internet Explorer 7.

The bug was found in the xMetaStream.dll (version 3.3.2.26), which is marked as safe for scripting.

Original article here

Discussion here