14 DAY TRIAL // The VLC team is proud to announce that, after almost two months and 27 million downloads of VLC 1.0.1, the third version of the Goldeneye branch of VLC: 1.0.2 is now available for download. Mac OS X users can access the link included in this article to grab the latest version of the media player immediately.
According to the people behind the VideoLan Project, “This version introduces many fixes, notably for SSA decoding, v4l2, MacOS interface, ogg/theora, x264 modules and security issues.” “It also introduces the port to 64bits for Mac OS platform and 2 new languages (Kazakh and Croatian),” the team of developers says. However, “Because of the security issues, we strongly recommand [sic] everybody to update its version of VLC,” the VLC team warns.
Using methods similar to Apple’s (Support technotes), the VideoLan Project team posts the “Security Advisory 0901” on the videolan.org site, explaining the particularities of the security hole in question.
“When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur,” the document reads. “It would overwrite the return address and thus redirect the execution flow,” according to the VLC developers, who credit Sebastian Apelt, siberas, for reporting this issue.
“If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player,” the technote reads. Still, the VLC team adds, for a hacker to properly exploit this issue, the user must explicitly open a specially crafted file, according to the bug’s documentation.
The usual workaround applies, as in, “The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.”
“Alternatively,” the VideoLan people say, “the MP4, AVI and ASF demuxer plugins (libmp4_plugin.*, libavi_plugin.*, libasf_plugin.*) can be removed manually from the VLC plugin installation directory.”
However, the real, true solution to fixing this bug is, of course, installing the latest version of VLC Media Player. “[Version] 1.0.2 addresses this issue [while] patches for older versions are available from the official VLC source code repository 1.0-bugfix branch,” the VLC team says. Requiring Mac OS X 10.5 and later and a Quartz Extreme-capable Mac, VLC Media Player 1.0.2 is available for free download using the link below.