VLC media player 2.0.2 has been released and the list of improvements is fairly long. From a security standpoint, one of the most important changes is the update made to the taglib library.
In VLC 2.0.1, taglib contains
a vulnerability (CVE-2012-2396) that could allow a remote attacker to cause a denial-of-service (DOS) state and crash the application via a cleverly crafted .mp4 file.
In order for this flaw to be exploited, an attacker has to convince the victim to open a malicious file via VLC, but as we saw in the past, this doesn’t represent a problem for determined cybercriminals.
The latest variant also addresses an Ogg
heap buffer overflow, and updates the libavacodec
and other codec libraries.
Since the DOS vulnerability could pose a serious threat, we advise users to immediately update to the latest version. VLC for Windows
is available for download here VLC for Mac
is available for download here VLC for Linux
is available for download here