Researchers at Core Security say they have identified a security vulnerability in the Visual Component Library (VLC) that affects apps developed with Delphi and C++ Builder.
In an advisory released today, the security firm revealed that an attacker is able to trigger a buffer overflow and possibly execute arbitrary code with the aid of malformed BMP files processed through affected programs. By exploiting this security hole, an attacker could execute code with the permissions of the user running the vulnerable application.
The vulnerability, discovered as part of Core Security's internal research efforts, impacts software developed with Embarcadero C++Builder XE6 version 20.0.15596.9843, Embarcadero Delphi XE6 version 20.0.15596.9843, and possibly other 32bit and 64 bit versions. The VCL is a component-based object-oriented framework that's utilized for developing the user interface of Windows applications, and it is integrated by default in these development environments.