If you have licensed a Flexera product that has provided access to Secunia Advisories, all use of Secunia Advisories is subject to your license agreement with Flexera. If you have not licensed a Flexera product that provides access to Secunia Advisories:
a) All use of Secunia Advisories is for non-commercial use only.
b) For further information, see the End User License Agreement or contact us.

If you are an IT security professional, request a free trial of Software Vulnerability Manager.

 
Highly critical

VLC Media Player Multiple Vulnerabilities

-

Release Date:  2010-04-22    Last Update:  2010-06-22    Views:  16,828

Secunia Advisory SA39558

Where:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Impact:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Solution Status:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Software:

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

CVE Reference(s):

Log in with your Secunia community profile. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

Description


Multiple vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system


Log in with your Secunia community profile to view the full description of this Advisory. If you are an IT security professional, request a trial of Vulnerability Intelligence Manager.

If you are not a member of the Secunia community, you can sign up here for free.

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: VLC Media Player Multiple Vulnerabilities

User Message
steffens RE: VLC Media Player Multiple Vulnerabilities
Member 23rd Apr, 2010 01:39
Score: 53
Posts: 80
User Since: 25th Jul 2009
System Score: N/A
Location: US
Last edited on 23rd Apr, 2010 01:54
Quoting fom lead article at <http://www.videolan.org/news.html>:

VLC 1.0.6
2010-04-21
"...Binaries for Windows and Mac OS are not yet on the pipe."

At the time of this posting, that was still true.
Was this reply relevant?
+3
-0

Anor60

RE: VLC Media Player Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.

puget1

RE: VLC Media Player Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.

parrotlover

RE: VLC Media Player Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.

puget1

RE: VLC Media Player Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.

steffens

RE: VLC Media Player Multiple Vulnerabilities
[+]
This reply has been minimised due to a negative Relevancy Score.
puget1 RE: VLC Media Player Multiple Vulnerabilities
Member 6th May, 2010 04:51
Score:
Posts: 612
User Since: 21st Dec 2007
System Score: N/A
Location: US
Last edited on 6th May, 2010 05:34
I refer you to this thread http://secunia.com/community/forum/thread/show/348... If you don't think that was a shot of adrenaline through the ole nervous system being told that "Vista is insecure" It sounds like your whole OS is defunct. When traced down it was the buffer avi overflow. Knowing that all streaming video is probably the root cause of most hostile entries, means there really isn't anything that can be done. I do the best I can and I refuse to go paranoid over it. Firefox has a couple of add-ons that allow you to control flash and media start-ups without approval of the operator one is No-Scripts excellent with [protection against click-jacking]. Cookie controls + an add-on called Better Privacy that removes long term super cookies on closing browser. By being able to control entry of cookies should to some extend help plus the removal of them at the end of session. Other add-ons like Clear private data and Close and Forget also help. Secondly by not keeping anything in your history and not keeping passwords in memory. Using anti key-logger software like http://www.trusteer.com or http://download.cnet.com/KeyScrambler-Personal/300... Basically not keeping anything in your p.c.that can be used against you. Be sure to "Sign out" when using your bank so they can remove vital code and cookies at the end of session. Ultimately, by not going paronoid. Hope this helps

--
Windows 10 64bit

There is No magic bullet in computing; only work a rounds.
















Was this reply relevant?
+1
-2
zappe RE: VLC Media Player Multiple Vulnerabilities
Member 10th May, 2010 13:09
Score: 3
Posts: 17
User Since: 4th Jan 2008
System Score: N/A
Location: SE
(unknown source)
Good advice in general... but hard to follow in this particular case, because as of this writing, nearly two weeks after my original post, the 1.0.6 binaries for Win and Mac are *still* "not yet on the pipe".

So there remains only the (less satisfactory) "solution" in VideoLAN Security Advisory 1003 <http://www.videolan.org/security/sa1003.html>...
"Workarounds: The user may refrain from opening files from untrusted sources."


There will probably not be a 1.0.6, but there are nightly builds that you can use.

1.1.0 will be released in two weeks time.
Was this reply relevant?
+3
-0
cvalde RE: VLC Media Player Multiple Vulnerabilities
Member 2nd Jun, 2010 10:47
Score: 11
Posts: 22
User Since: 30th Jul 2009
System Score: N/A
Location: CL
Last edited on 2nd Jun, 2010 10:47
Quote from http://www.remlab.net/op/vlc-1.0.6.shtml
"Security-concious users can install VLC prerelease version 1.1.0-pre3 which is quite stable and addresses the recently published security vulnerabilities." and I think this is an educated guess, RC2:
http://nightlies.videolan.org/build/win32/branch-2...
with vlc-1.1.0-rc2-20100602-0203-win32.exe for RC2 download. There's also this page
http://www.videolan.org/vlc/releases/1.1.0-RC.html
with links for RC1.
Was this reply relevant?
+7
-0
sucker RE: VLC Media Player Multiple Vulnerabilities
Member 19th Jun, 2010 19:11
Score: 1
Posts: 1
User Since: 4th Jul 2009
System Score: N/A
Location: N/A
Last edited on 19th Jun, 2010 19:11
And here you can get VLC 1.1.0 RC 4 at http://forum.videolan.org/viewtopic.php?f=34&t=778...
Was this reply relevant?
+1
-0
Masoa RE: VLC Media Player Multiple Vulnerabilities
Member 22nd Jun, 2010 01:40
Score: 2
Posts: 1
User Since: 22nd Jun 2010
System Score: N/A
Location: US
Last edited on 22nd Jun, 2010 01:40
VLC 1.1 is out on www.videolan.org, is this advisory still in effect for the latest version?
Was this reply relevant?
+2
-0
Racketeer RE: VLC Media Player Multiple Vulnerabilities
Member 22nd Jun, 2010 11:23
Score: 1
Posts: 1
User Since: 22nd Jun 2010
System Score: N/A
Location: CH
Last edited on 22nd Jun, 2010 11:23
This is very strange indeed: While PSI lists VLC (1.1.0) as unsafe for browsing it does not report it in "unpatched threats"...
Was this reply relevant?
+1
-0
Ocean_Icarus RE: VLC Media Player Multiple Vulnerabilities
Member 31st Jul, 2010 17:33
Score: 0
Posts: 1
User Since: 31st Jul 2010
System Score: N/A
Location: FI
Last edited on 31st Jul, 2010 17:33
Is this 1.1.0 version safe to use? Are the security holes filled now? Thanks in advance!
Was this reply relevant?
+0
-0

-

You must be logged in to post a comment.