Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC Media Player Incorrect Calling Convention Stack Corruption Vu...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability

Secunia VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Secunia Official 17th Nov, 2010 23:59
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
A vulnerability has been reported in VLC Media Player, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the use of an incorrect calling convention when invoking the "WNetAddConnection2A()" Windows API function, which can be exploited to cause a stack corruption by e.g. tricking a user into opening a specially crafted "smb://" URL or accessing a specially crafted website.

Note: This only affects the Windows version.

The vulnerability is reported in versions prior to 1.1.5.

TheAncient RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 17th Nov, 2010 23:59
Score: 0
Posts: 2
User Since: 4th Dec 2008
System Score: N/A
Location: CA
Last edited on 17th Nov, 2010 23:59
I just installed version 1.1.5 which is listed as solution in the article above.
Even after a full re-scan, PSI 2.0 beta still shows VLC player 1.x as "unpatched, no vendor solution" in the secure browsing area. PSI also shows that THIS security advisory (SA42244) is still applicable to version 1.1.5
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Expert Contributor 18th Nov, 2010 11:37
Score: 2414
Posts: 3,310
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello .

My PSI Beta 2.0 is correctly showing the VLC 1.1.5 as still "insecure , no solution" for the Mozilla Plug-in vulnerability which is referenced as SA41810 .

Hope that is clear .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+2
-0
Woulouf RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 18th Nov, 2010 11:38
Score: 10
Posts: 13
User Since: 4th Nov 2009
System Score: 100%
Location: FR
on 17th Nov, 2010 23:59, TheAncient wrote:
I just installed version 1.1.5 which is listed as solution in the article above.
Even after a full re-scan, PSI 2.0 beta still shows VLC player 1.x as "unpatched, no vendor solution" in the secure browsing area. PSI also shows that THIS security advisory (SA42244) is still applicable to version 1.1.5


Yep, that's because the firefox plugin hole still remains unpatched.

http://secunia.com/advisories/41810/#comments

--
PSI 2.0 (attentive) user
----------------------------------
Well, it's just a damn hole-fixing-story ..... isn't it ?
Was this reply relevant?
+0
-0
theDRaKKaR RE: VLC Media Player Incorrect Calling Convention Stack Corruption Vulnerability
Member 29th Nov, 2010 06:51
Score: -2
Posts: 6
User Since: 5th Mar 2010
System Score: N/A
Location: IT
Last edited on 29th Nov, 2010 06:51
To me, the installation patched both exe and plugin.
Was this reply relevant?
+0
-0


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability