A zero-day vulnerability in the FFmpeg open-source multimedia framework, which is used by shedloads of Linux kernel-based operating systems and software applications and Mac OS X and Windows platforms has been spotted.
The vulnerability was discovered on January 12, 2016, by Russian programmer Maxim Andreev. Anyone who has the necessary skills to hack a computer to read local files on a remote machine and send them over the network using a specially crafted video file.
The hole is limited to reading local files and sending them over the network, not to remote code execution, but it’s rather embarrassing. The FFmpeg developers are aware of the issue, and they are trying to patch it. If you are worried about it you can disable HLS (HTTP Live Streaming) while building the package while the sort out a fix. The FFmpeg team are expected to release a patch or a new version of the software later today.
The attack does not even require the user to open the dodgy file. KDE Dolphin thumbnail generation is enough to start the hack. Desktop search indexers, ffprobe or any operations that involve ffmpeg reading are affected.