Forum Thread: VLC Browser PlugIn

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:

Relating to this vendor:
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
klausus02 VLC Browser PlugIn
Member 4th Feb, 2011 16:56
Ranking: 89
Posts: 144
User Since: 4th Feb, 2011
System Score: N/A
Location: DE
Last edited on 4th Feb, 2011 16:57

Some weeks ago a vulnerability was discovered in VLC Media Player 1.1.5.

Now, the latest version is released. But PSI 2.0 is still pointing out that the browser plugin is unsecure. Is it realy so? Or is it a matter of updating the PSI-database?


mogs RE: VLC Browser PlugIn
Member 5th Feb, 2011 10:09
Posts: 6,279
User Since: 22nd Apr 2009
System Score: N/A
Location: UK
Below is a copy/extract of a softpedia article which may set your mind at rest :-
Critical Vulnerability Fixed in VLC 1.1.7
February 3rd, 2011, 14:11 GMT| By Lucian Constantin

The VideoLAN project has released version 1.1.7 of VLC media player in order to address a critical vulnerability which allows for arbitrary remote code execution.

The vulnerability was announced in an advisory at the beginning of this week after patches have been submitted to the VLC source code repository.

The flaw is the result of insufficient input validation in the MKV demuxer, the plugin responsible for parsing video files in Matroska or WebM format.

Dan Rosenberg of VSR (Virtual Security Research) is credited with discovering and reporting it to the VLC developers on January 26.

Exploitation involves tricking users into opening a maliciously crafted MKV file. The file can be stored on the local hard drive or a network share.

Web-based attacks leveraging this vulnerability are also possible thanks to the VLC Internet Explorer ActiveX control or the Firefox plugin.

Such attacks, known as drive-by downloads, are usually transparent to the victims and can be launched from legit compromised websites.

Fortunately, the VLC Mozilla plugin is not installed by default, so chances are that only a small percentage of Firefox users have it deployed.

People are advised to install the latest version as soon as possible, but patches for older variants are also available in the Git repository as well.

You can read more at :-

So it is very probable that Secunia detection rules are to be updated.
Hope this helps.......regards,

Was this reply relevant?
Anthony Wells RE: VLC Browser PlugIn
Expert Contributor 5th Feb, 2011 12:08
Score: 2542
Posts: 3,402
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Feb, 2011 12:13

The full list of Secunia Advisories for the VLC Player can be found here in the programme's vulnerability report :-

The vulnerability in this SA is fixed by updating to version 1.1.6 :-

The vulnerability in this SA is fixed by updating to version 1.1.7 ;-

Applying these will show you as fully patched and "secure" by the PSI .

This vulnerability , which only applies to the Mozilla/Firefox plug-in , is NOT shown as being patched in this SA ; even though the plug-in is not installed by default :-

Due to the way the PSI detection rules reads the VLC programme , it will show all browsers as being "insecure/no solution" in the "secure browsing" module of the PSI ; this is a known bug and has been discussed at length in several threads . This status will not change until/unless the Mozilla plug-in insecurity is fixed in the Player or the Player's method of incorporating the plug-in(s) changes .

Hope that is clear .

Take care



It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?

This thread has been marked as locked.