Relating to this vendor:
And, this specific program:
VLC media player 1.x
|klausus02||VLC 220.127.116.11 Browser PlugIn|
|4th Feb, 2011 16:56|
User Since: 4th Feb, 2011
System Score: N/A
Last edited on 4th Feb, 2011 16:57
Some weeks ago a vulnerability was discovered in VLC Media Player 1.1.5.
Now, the latest version 18.104.22.168 is released. But PSI 2.0 is still pointing out that the browser plugin is unsecure. Is it realy so? Or is it a matter of updating the PSI-database?
|mogs||RE: VLC 22.214.171.124 Browser PlugIn|
|5th Feb, 2011 10:09|
User Since: 22nd Apr 2009
System Score: 100%
Below is a copy/extract of a softpedia article which may set your mind at rest :-
Critical Vulnerability Fixed in VLC 1.1.7
February 3rd, 2011, 14:11 GMT| By Lucian Constantin
The VideoLAN project has released version 1.1.7 of VLC media player in order to address a critical vulnerability which allows for arbitrary remote code execution.
The vulnerability was announced in an advisory at the beginning of this week after patches have been submitted to the VLC source code repository.
The flaw is the result of insufficient input validation in the MKV demuxer, the plugin responsible for parsing video files in Matroska or WebM format.
Dan Rosenberg of VSR (Virtual Security Research) is credited with discovering and reporting it to the VLC developers on January 26.
Exploitation involves tricking users into opening a maliciously crafted MKV file. The file can be stored on the local hard drive or a network share.
Web-based attacks leveraging this vulnerability are also possible thanks to the VLC Internet Explorer ActiveX control or the Firefox plugin.
Such attacks, known as drive-by downloads, are usually transparent to the victims and can be launched from legit compromised websites.
Fortunately, the VLC Mozilla plugin is not installed by default, so chances are that only a small percentage of Firefox users have it deployed.
People are advised to install the latest version as soon as possible, but patches for older variants are also available in the Git repository as well.
You can read more at :-http://news.softpedia.com/news/Critical-Vulnerabil...
So it is very probable that Secunia detection rules are to be updated.
Hope this helps.......regards,
|Anthony Wells||RE: VLC 126.96.36.199 Browser PlugIn|
|5th Feb, 2011 12:08|
User Since: 19th Dec 2007
System Score: N/A
Last edited on 5th Feb, 2011 12:13
The full list of Secunia Advisories for the VLC Player can be found here in the programme's vulnerability report :-
The vulnerability in this SA is fixed by updating to version 1.1.6 :-
The vulnerability in this SA is fixed by updating to version 1.1.7 ;-
Applying these will show you as fully patched and "secure" by the PSI .
This vulnerability , which only applies to the Mozilla/Firefox plug-in , is NOT shown as being patched in this SA ; even though the plug-in is not installed by default :-
Due to the way the PSI detection rules reads the VLC programme , it will show all browsers as being "insecure/no solution" in the "secure browsing" module of the PSI ; this is a known bug and has been discussed at length in several threads . This status will not change until/unless the Mozilla plug-in insecurity is fixed in the Player or the Player's method of incorporating the plug-in(s) changes .
Hope that is clear .
It always seems impossible until its done.
Not a customer already?
Learn more about how our market leading Vulnerability Management solutions can help you manage risk and ensure compliance.