Microsoft has provided details of several critical vulnerabilities in older versions of FFmpeg's open source video codec tools and libraries; these could allow an attacker to execute arbitrary code on a system by getting users to open a specially crafted media file. This would execute the malicious code with the same permissions as the user. Another issue reported by Secunia could have the same effect.

For the Microsoft flaws, all versions of FFmpeg up to and including 0.10 are vulnerable, while for the Secunia issue, versions up to and including 0.11.2 are affected. The Microsoft-discovered vulnerabilities are present in the libavcodec library which suffers from memory corruption when parsing ASF, QuickTime (QT) and Windows Media Video (WMV) files. The issue described by Secunia was reported by Dale Curtis of Google and fixed at the end of September; according to the commit, this issue has only been present since May 2012.

The latest version of FFmpeg, 1.0, is not vulnerable to these problems and the FFmpeg developers have already fixed the holes in earlier versions, though there does not appear to have been a release of FFmpeg since the Secunia-reported problem was fixed. The latest versions of FFmpeg for Windows, Mac OS X and Linux are available from the project's web site.

FFmpeg is used to record, convert and stream audio and video files in various formats. As it is used by several popular open source software projects including the VLC Media Player, MPlayer and others, other projects may be exposed to these issues. FFmpeg is licensed under the LGPL or GPL depending upon the configuration.