14 DAY TRIAL // VideoLAN has released version 1.1.11 of its popular VLC media player application in order to address two critical vulnerabilities and make several other improvements.
According to the VLC developers, version 1.1.11 is mainly a security release that targets two arbitrary code execution vulnerabilities disclosed last week.
The vulnerabilities are located in the RealMedia and AVI demuxers and can be exploited by tricking potential victims into opening specially-crafted .rm or .avi files.
Vulnerability research vendor Secunia rates the two security issues as highly critical and VideoLAN previously suggested removing the libreal_plugin.dll and libavi_plugin.dll plugins to mitigate the risks.
Unfortunately, losing the ability to play .avi files made the proposed solution quite impractical for the majority of users, as AVI is the de facto video file container.
Source code patches have been available in the repository since last week, but these weren't of much help to Windows and Mac users who rely on pre-built binary packages.
The best solution in cases like this is to avoid opening files from untrusted and unverified sources. The VLC Firefox and Internet Explorer plug-ins should be disabled if they are not used very often, because they open a remote attack vector for this sort of vulnerabilities.
In addition to the security patches, VLC 1.1.11 contains other changes as well. "It also contains improvements in the fullscreen mode of the Win32 mozilla plugin, the MacOSX Media Key handling and Auhal audio output as well as bug fixes in GUI, decoders and demuxers," the developers write.
The latest version of VLC media player for Windows can be downloaded from here. The latest version of VLC media player for Mac can be downloaded from here. The latest version of VLC media player for Linux can be downloaded from here.