[brigade]

Yes, I know that multimedia/image vulnerabilities are popular vectors for zero-click attacks. My point is that desktop players are not a vector for zero-click attacks, and ffmpeg has not generally been used in end-user situations that are targets of zero-click or drive-by attacks. Mostly because of the license, but still.

If the exploit chain involves the user downloading and opening a file, something like >99% of the time the next step already involves executable code (or Office macros), which makes any ffmpeg vuln completely useless.

[phil21]

In a past life as a managed hosting provider ffmpeg exploits were used to gain access to systems.

It’s used for pretty much any platform you can upload video to. Some places far more competently than others.

[brigade]

See, I’d be interested in any actual evidence/writeups of that in the wild.

[bawolff]

In fairness, i dont think the majority of actual exploits used in the wild get writeups.

Budget web host using outdated software getting hacked because they havent updated in 2 years isn't exactly all that interesting of a blog post even if the victim knows enough to figure out what happened.

[dpe82]

Chrome uses ffmpeg's underlying libraries.

It's used way, way more than you think.

[brigade]

Yes, I’m quite familiar with that. Chrome is why I added the “generally” qualifier.

And to the best of my knowledge, there has not been any in-the-wild exploit against Chrome through the handful of ffmpeg codecs they enable. Not even pwn2own type competitions either, as I recall.

[dpe82]

I guess I'm confused - are you trying to imply the lack of a thorough, publicly reported successful exploit (or us just not casually giving you one that you care about) means that we're all released from the responsibility of taking potential exploits seriously?