navigation bar left navigation bar right

Secunia CSI7
navigation left tab Advisories navigation right tab
navigation left tab Research navigation right tab
navigation left tab Forums navigation right tab
navigation left tab Create Profile navigation right tab
navigation left tab Our Commitment navigation right tab
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Insecure Ver. 0.8.6h notification doesn't go away after update (d...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 0.x

This thread has been marked as locked.
VopThis Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 25th Nov, 2008 17:01
Ranking: 0
Posts: 4
User Since: 29th Dec, 2007
System Score: 97%
Location: N/A
Last edited on 25th Nov, 2008 17:04

Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6.


The file paths are all the same, as well:

"C:Program FilesVideoLANVLCvlc.exe"
"E:Program FilesVideoLANVLCvlc.exe"

debeul RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 25th Nov, 2008 17:12
Score: 0
Posts: 9
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
I asked Secunia about this problem.
They responded:
---
We are aware of VLC Media Player version 0.8.6i being detected as the
insecure version 0.8.6h. The reason for this is that the developers
behind VLC Media Player have forgot to update their programs file
version information. The PSI looks at this information when determining
the version of a program.

Hopefully this error in the VLC Media Player will be corrected by its
developers soon. Meanwhile you can open VLC Media Player, go to
Help-->About... and check your currently installed version. If it says
“VLC Media Player 0.8.6i” you have the latest version.
---
Was this reply relevant?
+0
-0
war59312 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 26th Nov, 2008 03:33
Score: 3
Posts: 19
User Since: 26th Nov 2008
System Score: N/A
Location: US
Nope, still not fixed, even with VLC 0.9.6.
Was this reply relevant?
+0
-0
E.Jeppesen RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Secunia Official 26th Nov, 2008 14:21
Score: 220
Posts: 618
User Since: 24th Nov 2008
System Score: N/A
Location: Copenhagen, DK
Are both of the VLC installations reported as being insecure, or is it
just one of them that is reported as insecure?

Could you please provide us with the version number of each of the
individual files.
VopThis RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 26th Nov, 2008 15:30
Score: 0
Posts: 4
User Since: 29th Dec 2007
System Score: 97%
Location: N/A
Only one of them had been consistently reported as insecure (Ver. 0.8.6h) even when I had updated to Ver. 0.8.6i or ver 0.9.6.
Was this reply relevant?
+0
-0
war59312 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 29th Nov, 2008 01:09
Score: 3
Posts: 19
User Since: 26th Nov 2008
System Score: N/A
Location: US
on 26th Nov, 2008 14:21, E.Jeppesen wrote:
Are both of the VLC installations reported as being insecure, or is it
just one of them that is reported as insecure?

Could you please provide us with the version number of each of the
individual files.
I only have VLC media player 0.9.6 installed.

Screen-shot of exe:

http://img201.imageshack.us/img201/613/vlcet0.png
Was this reply relevant?
+0
-0
VopThis RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 1st Dec, 2008 14:09
Score: 0
Posts: 4
User Since: 29th Dec 2007
System Score: 97%
Location: N/A
All is now good in ver 0.9.7.
Was this reply relevant?
+0
-0
poutnikl RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 1st Dec, 2008 16:59
Score: 0
Posts: 55
User Since: 8th May 2008
System Score: 99%
Location: CZ
I have previously reported in other thread then my installation of VLC 0.9.6 is still reported as 0.9.4, even if in Help - about and at EXE file properties is reported as 0.9.6.

Not sure if 0.9.6 was installed by EXE install, or from archive.

Today I updated VLC to 0.9.7, due recent vulnerability from 7z package by plain overwriting. Doing fresh PSI scan it claimed it is still 0.9.4.
In both places, mentioned above, EXE claims it is 0.9.7.

I uninstall VLC keeping settings, deleted vLC folder and installed VLC from 0.9.7 EXE setup.

PSI running at background withdraw its 0.9.4 vulnerability report,
all was OK.
Was this reply relevant?
+0
-0
highstream RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 3rd Dec, 2008 02:11
Score: 6
Posts: 29
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 3rd Dec, 2008 08:56
I have 0.9.6 and immediately before moving from RC4 to v.1.0, it showed as secure; afterward, it became insecure. After three reinstalls and rescans, PSI v. 1.0.0.1 still claims it is actually the earlier 0.8.6h version. I've read Secunia's write up about VLC, but that doesn't explain either the shifting status here, or how some people report it in this forum as secure, while others of us as insecure. I've checked the file location and it is correct. 0.9.6 may be insecure, too, but it would be nice if PSI would just recognize it consistently.

Update: On the fourth installation, PSI finally recognized 0.9.6 as secure (which now seems contrary to this thread).
Was this reply relevant?
+0
-0
jyd44 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 5th Dec, 2008 19:33
Score: 0
Posts: 1
User Since: 5th Dec 2008
System Score: N/A
Location: N/A
Same Issue:
version PSI v1.0.0.1.
Three VLC installed:
- one in "standard directory" : c:\Program Files\Videolan\Vlc where version file is 0.9.6.99 (from the version tag in the property box) and reported by PSI as 0.8.6f
- one in directory: "C:\Program Files\adslTV" where version file is 0.8.6f and reported by PSI as 0.8.6f
- one in directory "C:\Program Files\HomePlayer\VLC" where version file is 0.8.6f and reported by PSI as 0.8.6f.

version 0.8.6f is imposed by adslTV and Homeplayer applications. Nevertheless, only two VLC player should be reported as version 0.8.6f
Was this reply relevant?
+0
-0
albue RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 01:37
Score: 0
Posts: 1
User Since: 10th Dec 2008
System Score: N/A
Location: N/A
on 25th Nov, 2008 17:01, VopThis wrote:
Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6.


The file paths are all the same, as well:

"C:Program FilesVideoLANVLCvlc.exe"
"E:Program FilesVideoLANVLCvlc.exe"

Was this reply relevant?
+0
-0
genegold99 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 02:59
Score: 5
Posts: 128
User Since: 25th Nov 2008
System Score: N/A
Location: US
Even after VideoLan pulled the 0.9.8 update, I found a download that was listed as 0.9.7 but in reality was 0.9.6. I guess it must have been a little different than the existing 0.9.6 (seen by PSI as 0.8.4h), because PSI accepted it. Today it turned insecure again because there is a v. 0.9.8 now available. With that, PSI is once again a happy camper.
Was this reply relevant?
+0
-0
poutnikl RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 09:53
Score: 0
Posts: 55
User Since: 8th May 2008
System Score: 99%
Location: CZ
Even 0.9.8 is vulnerable and there is 0.9.8a released.
see ftp://ftp.videolan.org or http://downloads.videolan.org
Was this reply relevant?
+0
-0
genegold99 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 17:18
Score: 5
Posts: 128
User Since: 25th Nov 2008
System Score: N/A
Location: US
on 10th Dec, 2008 09:53, poutnikl wrote:
Even 0.9.8 is vulnerable and there is 0.9.8a released.
see ftp://ftp.videolan.org or http://downloads.videolan.org[/quote]

Yes, and it was still showing as 0.8.x
Was this reply relevant?
+0
-0
poutnikl RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 17:24
Score: 0
Posts: 55
User Since: 8th May 2008
System Score: 99%
Location: CZ
Last edited on 10th Dec, 2008 17:25
Not mine, mine is properly shown as 0.9.8a.

In time I had 0.9.6, it was false reported aas 0.9.4.
Then I recalled myself I innstalled 0.9.4 by setup,
but updated to 0.9.6 from archive by owerwriting.

I run uninstaller, keeping settings, run 0.9.6 installer
and voila - PSI reported it properly.

It could be due some browser VLC plugins, that setup installs.
Was this reply relevant?
+0
-0
genegold99 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 17:51
Score: 5
Posts: 128
User Since: 25th Nov 2008
System Score: N/A
Location: US
What I was referring to was when it showed as insecure this morning with 0.9.6, it showed as 0.8.4h. That was after the after the uninstall/new install yesterday of 0.9.6. After the update PSI likes it again, showing 0.9.6a. Well, if its showing as secure in PSI yesterday as 0.9.6 yesterday and 0.8.4h today, then is that VLC or PSI?
Was this reply relevant?
+0
-0
poutnikl RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 10th Dec, 2008 17:56
Score: 0
Posts: 55
User Since: 8th May 2008
System Score: 99%
Location: CZ
0.96a or 0.9.8a ? Because I am not aware about any 0.9.6a version.
Was this reply relevant?
+0
-0
Labuszewski RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 8th Jan, 2009 10:34
Score: 0
Posts: 1
User Since: 15th Dec 2008
System Score: N/A
Location: N/A
Last edited on 8th Jan, 2009 10:36
on 25th Nov, 2008 17:01, VopThis wrote:
Remained as above even when updated to Ver. 0.8.6i. for quite some time now. Still unchanged when recently updated to ver 0.9.6.


The file paths are all the same, as well:

"C:Program FilesVideoLANVLCvlc.exe"
"E:Program FilesVideoLANVLCvlc.exe"

Was this reply relevant?
+0
-0
genegold99 RE: Insecure Ver. 0.8.6h notification doesn't go away after update (dual boot: XP & VISTA)
Member 3rd Apr, 2009 22:02
Score: 5
Posts: 128
User Since: 25th Nov 2008
System Score: N/A
Location: US
VLC has just updated to 0.9.9, but is getting the same false positive with PSI after automatic or full scans, showing an 0.8.x version. It then corrects itself on rescan of the application, and the correct version shows under the Patched software. I made screenshots of before, during and after and sent them to PSI support. Maybe if some others do the same, the problem will be detected, explained and corrected. The address can be found near the bottom of http://secunia.com/vulnerability_scanning/personal...
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


Secunia is a member of FIRST Secunia is a member of EDUcause Secunia is a member of The Open Group Secunia is a member of FS-ISAC
 
Secunia © 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer
follow Secunia on Facebook follow Secunia on Twitter follow Secunia on LinkedIn follow Secunia on YouTube follow Secunia Xing follow Secunias RSS feed follow Secunia on Google+