Softpedia
 
HomepageWindowsGamesDriversMacLinuxScripts buttonMobileHandheldNews

NEWS CATEGORIES:



NEWS ARCHIVE >>
SOFTPEDIA REVIEWS >>
MEET THE EDITORS >>
Home > News > Security > Security Fixes and Improvements

August 20th, 2010, 14:57 GMT · By

Critical Vulnerability Fixed in VLC Media Player

SHARE:

Adjust text size:


VLC 1.1.3 addresses critical vulnerability
Enlarge picture
The VideoLAN project has released version 1.1.3 of its popular VLC Media Player program, which includes a patch for a critical arbitrary code execution vulnerability.

VLC is a powerful cross-platform multimedia player capable of playing most media formats natively, without the need of additional codecs. It is open source and distributed under the GNU General Public License.

The vulnerability addressed in version 1.1.3 is identified as CVE-2010-2937 and was discovered by security researchers from Fortinet's FortiGuard Labs.

It stems from an insufficient input validation in the program's TagLib plugin, which is used to parse ID3v2 tags containing meta-information about media files.

In order to exploit this flaw an attacker can trick a user into playing a file with a specially crafted ID3v2 tag, which would trigger a memory corruption error.

The VLC developers say that in most scenarios this would only crash the application and result in a denial of service condition.

However, VUPEN Security, one of the leading vulnerability research companies, rates the issue as critical and claims that it can also be exploited to execute arbitrary code.

"A vulnerability has been identified in VideoLAN VLC, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system.

"This issue […] could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a malicious media file (e.g. MP3)," the company writes in its advisory on the vulnerability.

VLC is available for a variety of platforms, including Windows, Mac, Linux, BSD or Solaris, but the VideoLAN Project only distributes precompiled binaries for Windows and Mac.

VLC Media Player versions 1.1.2 down to 0.9.0 are affected by this flaw, so in addition to the new 1.1.3 version, the VLC developers have released patches for versions 1.1.2, 1.1.1, 1.1.0 and 1.0.6 that can be applied manually.

VLC Media Player 1.1.3 for Windows can be downloaded from here.

VLC Media Player 1.1.3 for Mac can be downloaded from here.

TELL US WHAT YOU THINK:

2,379 hits · 2 comments · Link to this article · Print article · Send to friend · Subscribe to news

MUST-READ RELATED ARTICLES:


Popular Applications Fail to Implement Windows Security Measures
Large Number of Malicious .MOV Files Found in the Wild
Apple Fixes Critical Remote Code Execution Bug in QuickTime
Highly Critical Vulnerability Found in QuickTime

READER COMMENTS:


Comment #1 by: vijju on 25 Aug 2010, 11:13 UTC reply to this comment

ya its looking good


Comment #2 by: deepak on 06 Sep 2010, 14:18 UTC reply to this comment

good player

Copyright © 2001-2012 Softpedia. Contact/Tip us at

WindowsGamesDriversMacLinuxScriptsMobileHandheldNews

SUBMIT PROGRAM   |   ADVERTISE   |   GET HELP   |   SEND US FEEDBACK   |   RSS FEEDS   |   UPDATE YOUR SOFTWARE   |   ROMANIAN FORUM
© 2001 - 2012 Softpedia. All rights reserved.
Softpedia® and the Softpedia® logo are
registered trademarks of SoftNews NET SRL.		 Copyright Information | Privacy Policy | Terms of Use