14 DAY TRIAL // The VideoLAN project has released version 1.1.7 of VLC media player in order to address a critical vulnerability which allows for arbitrary remote code execution.
The vulnerability was announced in an advisory at the beginning of this week after patches have been submitted to the VLC source code repository.
The flaw is the result of insufficient input validation in the MKV demuxer, the plugin responsible for parsing video files in Matroska or WebM format.
Dan Rosenberg of VSR (Virtual Security Research) is credited with discovering and reporting it to the VLC developers on January 26.
Exploitation involves tricking users into opening a maliciously crafted MKV file. The file can be stored on the local hard drive or a network share.
Web-based attacks leveraging this vulnerability are also possible thanks to the VLC Internet Explorer ActiveX control or the Firefox plugin.
Such attacks, known as drive-by downloads, are usually transparent to the victims and can be launched from legit compromised websites.
Fortunately, the VLC Mozilla plugin is not installed by default, so chances are that only a small percentage of Firefox users have it deployed.
People are advised to install the latest version as soon as possible, but patches for older variants are also available in the Git repository as well.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively without the need of additional codecs. It is open source and is distributed under the GNU General Public License.
Binaries are regularly released by the VideoLAN Project for Windows and Mac OS X 10.5 or later, whiles Linux ones are usually provided by each distribution through its own release channels.
The latest version of VLC media player for Windows can be downloaded from here.
The latest version of VLC media player for Mac can be downloaded from here. The latest version of VLC media player for Linux can be downloaded from here.