14 DAY TRIAL // The VideoLAN project has released version 1.1.10 of VLC media player in order to address several highly critical vulnerabilities that could be exploited to execute arbitrary code remotely.
Two of the patched vulnerabilities were disclosed at the beginning of last month as zero-days and were accompanied by proof-of-concept exploit code.
Both of them are located in the third-party libmodplug plugin that is included in VLC, as well as many other media players and Linux distributions.
The vulnerabilities are caused by boundary errors in the 'abc_new_macro()' and 'abc_new_umacro()' functions and can be exploited by tricking victims into opening specially-crafted ABC files.
Remote exploitation vectors include local network shares and the web because of the program's Firefox and Internet Explorer plugins.
A third integer overflow vulnerability located in the XSPF playlist demultiplexer was also patched in this release. The XSPF demuxe has also been a source for vulnerabilities in the past. So far the project hasn't published an advisory regarding this vulnerability.
There are also other non-security related changes in this release such as the removal of FontCache building in the Freetype module on Windows, interface and hotkey fixes on Mac OS X and a rewrite of the PulseAudio output on Linux/BSD. Some of the included codecs have also been updated.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively without the need of additional codecs. It is open source and is distributed under the GNU General Public License.
The latest version of VLC media player for Windows can be downloaded from here. The latest version of VLC media player for Mac can be downloaded from here. The latest version of VLC media player for Linux can be downloaded from here.