14 DAY TRIAL // The VideoLAN Project has released version 1.1.4 of its popular VLC media player application, which addresses a DLL preloading vulnerability allowing for arbitrary code execution.
DLL preloading or binary planting is a recently disclosed type of vulnerability which stems from the use of an insecure search path in library loading functions.
When a program calls a DLL without specifying its full path, Windows searches for it in several locations in a predefined order.
One of these locations is "the current working directory," which in the context of VLC can be the folder from where an MP3 is opened.
In addition to directories on the local computer or a network share, this folder can also be a WebDAV resource on a remote server.
When opening MP3 files, VLC attempts to load a file called wintab32.dll, which does not exist on Windows XP systems.
This allows an attacker to create a malicious DLL with that name and place it in the same folder as the MP3 in order to execute it.
A proof-of-concept exploit for this vulnerability, which is rated as highly critical by Secunia, has been publicly available since August 25.
According to the VLC developers this flaw affects several modules in VLC 1.1.3 and older, like Qt4 and DMO.
However, given the broad scope of this type of vulnerabilities, similar bugs might later be identified in other VLC components as well.
Patches that can be applied manually before compilation have also been released for versions 1.1.3, 1.1.2, 1.1.1, 1.1.0 of the application.
However, the practice of patching in this way is used predominantly on Linux and this vulnerability only affects Windows systems.
So far, over 200 applications, including some very popular ones, were confirmed to be vulnerable to similar DLL preloading or EXE planting attacks.
VLC Media Player 1.1.4 for Windows can be downloaded from here.
VLC Media Player 1.1.4 for Mac can be downloaded from here.