Highly Critical Vulnerabilities Identified in VLC Media Player

Two security vulnerabilities which can be exploited to execute arbitrary code have been identified in different components of the popular VLC media player application.

Vulnerability research vendor Secunia rates the two VLC security flaws discovered by security researcher Hossein Lotfi as highly critical.

One of the vulnerabilities, identified as CVE-2011-2587, is located in VLC's RealMedia demuxer and can be exploited to cause a heap-based buffer overflow by opening a specially-crafted RealMedia (RM) file.

The second vulnerability (CVE-2011-2588) is similar, but is located in the AVI demuxer and can be exploited when parsing a "strf" chunk in AVI files.

Both vulnerabilities affect the latest stable release of the media player and will be fixed in the upcoming 1.1.11 version. In the meantime, source code patches are available in the repository and can be applied manually by those who maintain the binary packages for various Linux distributions and other UNIX-based systems.

One solution for Windows users is to delete or rename the libreal_plugin.dll and libavi_plugin.dll files. However, this will prevent the application from running any RealMedia or AVI files.

While RealMedia files are not very common anymore and a large number of users would be fine with sacrificing the format until the new version of the player comes out, the ability to play AVI files is central to the program's experience because of the container's popularity.

Users are advised to exercise caution regarding the origin of the files they choose to play. Disabling the VLC browser plug-ins temporarily in order to remove the most direct remote attack vector can also help.

VLC is a powerful cross-platform multimedia player capable of playing most media formats natively with no need for additional codecs. It is open source and is distributed under the GNU General Public License.