navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC Media Player update

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
jonrichco VLC Media Player update
Member 5th Mar, 2012 08:45
Ranking: 0
Posts: 22
User Since: 27th Nov, 2008
System Score: N/A
Location: AU
Secunia advises that VLC 1.1.11 is insecure and to update to 1.1.13. The latter does not seem to exist. The current version of VLC is 2.0.

M.Rehman RE: VLC Media Player update
Secunia Official 5th Mar, 2012 14:21
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
Hi.

The VLC 1.1.11 is the latest install-able version, however it is insecure.
1.1.13 is the latest patched version, however, there are no binary releases.
in other words, there are no installers you can just run.

the issue is in a file in the folder called "plugins" and the 1.1.13 is the fixed dll-file which has to replace the old one from 1.1.11

the dll file does not have any metadata, so we cannot detect it, however, we've made a special package for this.

When you run the update from the PSI, it'll switch the old insecure file, with the new secure one, however due to no metadata changes in any of the detectable files, the PSI cannot detect anything.
If you go to your VLC folder, you'll see a folder called "plugins" in that folder, a file is called "libty_plugin.dll"
This is the insecure file.
if you look at this file after running the Secunia package, you'll notice that the time stamp for this is different from all the other files in the folder.

Hope this helps understanding the issue with VLC.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
jonrichco RE: VLC Media Player update
Member 5th Mar, 2012 14:47
Score: 0
Posts: 22
User Since: 27th Nov 2008
System Score: N/A
Location: AU
Thanks Munib, but not really

I cannot see any reason for PSI to recommend a patch that doesn't exist within the program and not to recommend a new version which is what I (and I expect 90% of VLC users) would want.
Was this reply relevant?
+0
-0
Maurice Joyce RE: VLC Media Player update
Handling Contributor 5th Mar, 2012 14:54
Score: 11830
Posts: 9,072
User Since: 4th Jan 2009
System Score: N/A
Location: UK
The comments made here by Anthony Wells make good reading for Secunia Support.

http://secunia.com/community/forum/thread/show/122...

--
Maurice

Windows 7 SP1 64 Bit OS
HP Intel Pentium i7
IE 11 for Windows 7 SP1
16GB RAM
Was this reply relevant?
+2
-0
Anthony Wells RE: VLC Media Player update
Expert Contributor 5th Mar, 2012 15:57
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello all ,

To update things quickly , it may be that the problem lies in the SA47325 :-

http://secunia.com/advisories/47325/

I have had version 1.1.11 on my system since it's launch on/around 15.07.2011 and PSI was happy with this until 22.02.2012 .

This means that 1.1.12 of 07.10.2011 was ignored as one would expect (a workaround for Windows) . Also 1.1.13 was ignored from 21.12.2011(first date of SA47325) until the SA was modified on 22.02.2012 which also happens to be the launch date for 2.0.0.

I have no idea why Secunia applies a "patch" which cannot be detected by the PSi - so usually called a "workaround" - and calls it 1.1.13 , when a much improved upgrade/update is available :ie: version 2.0.0 on the same date .

Without labouring the point , at least we can see the problem and deal with it in PSI 2.0.x whereas the the other (linked) thread shows the difficulty/impossibility of the current 3.0. BETA .

Must dash , take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-0
M.Rehman RE: VLC Media Player update
Secunia Official 5th Mar, 2012 16:00
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
after having the discussion in our team, and due to the fact that VLC 1.1.12 has a vulnerability that is not fixed in 1.1.13 but in 2.0, we have decided to update the version rule for 2.0

this way we will get both the vulnerability fixed for earlier in 1.1.13, and the vulnerability from 1.1.12 fixed in 2.0.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
Anthony Wells RE: VLC Media Player update
Expert Contributor 5th Mar, 2012 16:09
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Munib ,

That was quick :)))

Are you infact referring to this problem which was not fixed in 1.1.11 and has been around since 1.1.4 and caused much polemic in the Forum ?? :-

http://secunia.com/advisories/41810/

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
M.Rehman RE: VLC Media Player update
Secunia Official 7th Mar, 2012 15:16
Score: 25
Posts: 41
User Since: 12th May 2011
System Score: N/A
Location: Copenhagen, DK
Hi Everybody,

In order to address your concerns, we will post an elaboration of the process that lead to the decision of suggestion VLC 2.0 to users and customers.

VLC has an outstanding vulnerability which is fixed in the 1.1.13 version (SA47325). However, VideoLAN (the publisher of VLC) has not provided an official Windows installer. Normally, according to Secunia policy, this would mean that we would not offer any patch at all. This is what you’d usually expect. However, since the release of the first Secunia PSI 3.0 Beta release, Secunia has been working on something big. The Secunia Packaging System, known as SPS, is a system for repackaging installers. This, for example, makes silent installation possible where before it wasn’t.

In the case of VLC 1.1.13, VideoLAN officially suggested replacing a DLL to patch the vulnerability. Since most users would not do this on their own, we at Secunia prepared an SPS package which did this on behalf of our community.

Unfortunately, the new DLL failed to update the version information of the DLL, which the Secunia File Signatures engine depends upon. So even after (successfully) installing the patch we provided, the user would be shown VLC as if it was insecure. This situation was certainly not ideal, but in this case the pain of seeing a temporary false negative was less of a problem than exposing an insecure video player to the internet (As VLC, especially, if frequently embedded in browsers and frequently targeted by criminals).

After discussing this problem internally, one of our security researchers discovered that an vulnerability in VLC 1.1.12, which was otherwise only fixed on the source code (SA 46224), appeared to have been fixed in the source code of the VLC 2.0 release (Which has a Windows installer). VLC has not officially released an advisory stating the problem was solved, nor has Secunia verified that the 2.0 binary is not vulnerable, although the fix seems to have been applied in the source code.

Under these circumstances, we had only a few choices. One would be to roll back the SPS package, leaving users with the vulnerable 1.1.11 version. This was not ideal. Keeping the SPS package, and thus the false negative, was not exactly perfect either.

So in the best interest of the security of the systems of our users and customers, we decided to offer 2.0. Although 1.x is not officially End of Life, VLC has failed to patch the issue in their old (and still supported) release, and have not provided official Windows installers for 1.1.13.

With this solution, we hope to have made the best of a difficult situation. We realize we cannot please everybody, but hopefully this is the closest we can get to ideal.

If you have questions about this decision, or concerns, please voice them so we have a chance to address them as soon as possible.

I hope my explanation has made the issue clear for you and put your concerns to rest.

--
Kind regards,

Munib Rehman
Secunia Support

Secunia PSI
http://secunia.com/vulnerability_scanning/personal
Anthony Wells RE: VLC Media Player update
Expert Contributor 7th Mar, 2012 21:44
Score: 2454
Posts: 3,345
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi Munib ,

Thank you for such a clear respônse and I wish you luck with the SPS to improve the Auto-update presently on offer (in 2.0.0.x) .

There is a point in that whilst the SPS worked to provide 1.1.13 , a lack of visiblilty in the PSI 3.0 Beta would probably have masked the (initial) situation for the user , unlike the PSI 2.0. users .

I am also concerned about "obligatory" Browser updates in 3.0 Beta and possible conflict between the silent/auto updates of Chrome and FIrefox and the SPS ; this thread is fairly explicit :-

http://secunia.com/community/forum/thread/show/122...

Thank you for taking the time to clarify the situation , I know how busy you are :))

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+