14 DAY TRIAL // The VideoLAN project has released version 1.1.3 of its popular VLC Media Player program, which includes a patch for a critical arbitrary code execution vulnerability.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively, without the need of additional codecs. It is open source and distributed under the GNU General Public License.
The vulnerability addressed in version 1.1.3 is identified as CVE-2010-2937 and was discovered by security researchers from Fortinet's FortiGuard Labs.
It stems from an insufficient input validation in the program's TagLib plugin, which is used to parse ID3v2 tags containing meta-information about media files.
In order to exploit this flaw an attacker can trick a user into playing a file with a specially crafted ID3v2 tag, which would trigger a memory corruption error.
The VLC developers say that in most scenarios this would only crash the application and result in a denial of service condition.
However, VUPEN Security, one of the leading vulnerability research companies, rates the issue as critical and claims that it can also be exploited to execute arbitrary code.
"A vulnerability has been identified in VideoLAN VLC, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system.
"This issue […] could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious media file (e.g. MP3)," the company writes in its advisory on the vulnerability.
VLC is available for a variety of platforms, including Windows, Mac, Linux, BSD or Solaris, but the VideoLAN Project only distributes precompiled binaries for Windows and Mac.
VLC Media Player versions 1.1.2 down to 0.9.0 are affected by this flaw, so in addition to the new 1.1.3 version, the VLC developers have released patches for versions 1.1.2, 1.1.1, 1.1.0 and 1.0.6 that can be applied manually.
VLC Media Player 1.1.3 for Windows can be downloaded from here.
VLC Media Player 1.1.3 for Mac can be downloaded from here.