A new critical vulnerability has been identified in the popular VLC media player and can potentially be used by attackers to execute arbitrary code remotely.
The vulnerability affects VLC 1.1.6, the lastest stable version of the player, and is located in the MKV demuxer, the component used to parse Matroska or WebM video files.
The flaw is the result of insufficient input validation and was reported by Dan Rosenberg of VSR (Virtual Security Research).
Dan Rosenberg has recently reported similar arbitrary code execution vulnerabilities in VLC's Real demuxer and CD+G decoder.
According to the advisory
published by the VideoLAN Project, the VLC developers were first notified about the vulnerability on January 26, 2011, too late to include a fix in VLC 1.1.6.
On January 29, the Matroska project contributed a patch
to the VLC source code, which consists of a single line that solves the input validation problem.
Attackers can exploit the vulnerability by tricking users into opening a maliciously crafted .MKV or WebM files. This can also be done over the Web because of VLC's ActiveX and Firefox plugins.
The VLC ActiveX control is installed by default, but the VLC Netscape plugin needs to be manually selected during installation.
It would be sensible to disable these plug-ins from inside the browsers for now. Also people are advised to exercise caution regarding the origin of the .mkv files they download and open.
A patch will be included in VLC 1.1.7 which has yet to be released. Until then users can remove the libmkv_plugin.* file from the VLC plugin installation directory.
However, it's worth noting that MKV is a commonly used HD video format and removing the demuxer plugin will hinder the application's ability to playback such files.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively, without the need of additional codecs. It is open source and distributed under the GNU General Public License.The latest version of VLC media player for Windows can be downloaded from here.
The latest version of VLC media player for Mac can be downloaded from here.