back to article Exploit emerges for LZO algo hole

Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2 media player and says it could leave some Linuxes vulnerable to attack. The LZO data compression algorithm was created by Markus Oberhumer in 1994 and was discovered to be …

  1. John Smith 19 Gold badge
    Black Helicopters

    "Discovered in June"

    Of what year?

    By whom?

  2. tony2heads

    Memo to self

    Must avoid Nyan Cat videos... at least on Mplayer2

  3. frank ly

    Is there anything that doesn't have security holes?!

    I'm just wondering.

    1. I. Aproveofitspendingonspecificprojects
      FAIL

      Going back just one lifetime

      If the original computer crackers had a crib they'd be in in a flash with all the data collected over the 3 or more days (that it used to take to "crack-in") exploited. Good enough to win battles not good enough to prepare for them.

      Do you think they can't plant similar cribs in every anachist's group known?

      Today if the NSA wants your information they only need to plant such cribs using their own account info.

      If they wanted to know how a bank encrypts their data, for instance, they open an account with the bank. They then know what the coded data says. How long do you think it takes to break every code in every bank with the sort of funding the NSA and GCHQ enjoys?

      But it is even easier than that. They know how the banks work. Every government agency is migrating to Adobe back ends and what isn't on Microsoft XP /Blackhelicopterhat wearing Linux servers is not worth getting (but they get that too anyway.)

      Ditto for any Iranainetc computers that have any sort of prefabrication from the USA or its ally the Democratic People of China. If they can tell what books you have been reading over the last 13/14 years they can do everything. Why it took Snowden to point that out beggars logical reason.

  4. Nuno trancoso

    Software that takes outside data is open to attacks. Software that uses other software in it's operations extends it's own attack surface. Repeat that cause that's what a plugin is. Anything non trivial?

    No cookies to El Reg to have failed to notice "can only happen if you use uncommonly huge buffer sizes where you have to decompress more than 16 MiB (> 2^24 bytes) untrusted compressed bytes within a single function call" which kinda makes it obvious why a video app was chosen as target.

    And some apps/distros didn't update in 11 days against a problem that might likely affect 0.00000001% of their users. How sloppy.

    From reading up on it, seems "someone" got pissed that they got dismissed on the grounds of "not life or death" so decided to get his 15m by showcasing the potential while omitting the likelihood.

    1. pixl97

      Re: Nuno

      You've not done your reading on this exploit yet. It went from 'not exploitable' to 'exploitable in a case or two' to 'we're finding new exploit avenues every day'.

      I'd have thought you'd have learned after looking at 20+ years of netsec experience online that vulnerabilities never get better after being released, the only potential is to get worse.

  5. KjetilS

    Ah, so that's why Debian pushed an update this week.

  6. Anonymous Coward
    Big Brother

    Lempel-Ziv-Oberhumer (LZ0) exploit

    "Security Mouse security researcher Don A Bailey has showcased an exploit of the Lempel-Ziv-Oberhumer (LZ0) compression algorithm running in the Mplayer2"

    Is there a link to a working version of this exploit?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019