14 DAY TRIAL // The VideoLAN Organization has released a version 1.1.9 of VLC media player in order to address two critical vulnerabilities that could be exploited by potential attackers to execute arbitrary code remotely.
One of the flaws fixed in VLC 1.1.9 was disclosed last Saturday and is located in the MP4 demultiplexer, the plug-in responsible for parsing MP4 (MPEG-4 Part 14) files.
The vulnerability stems from an error in the "MP4_ReadBox_skcr()" function and can result in a heap-based buffer overflow.
The bug is rated as highly critical by Secunia and can be exploited over the Web, due to the VLC ActiveX control and Firefox plug-in.
The second vulnerability addressed in the new version of the popular open source media player is actually located in the libmodplug third-party library.
Libmodplug is used to render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound.
The arbitrary code execution vulnerability in the plug-in can be exploited by tricking users to open specially crafted S3M files. This flaw can too be exploited over the Web and network shares.
The vulnerability was resolved by updating the libmodplug plug-in included in VLC to version 0.8.8.2, which was released at the beginning of April.
The new VLC 1.1.9 also includes many non-security bug fixes, including some interface updates for Mac OS X. In addition, Growl is now bundled with the VLC package for Apple's OS.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively. It is distributed under the GNU General Public License.
The latest version of VLC media player for Windows can be downloaded from here.
The latest version of VLC media player for Mac can be downloaded from here. The latest version of VLC media player for Linux can be downloaded from here.