Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC 1.1.7.0 Browser PlugIn

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
klausus02 VLC 1.1.7.0 Browser PlugIn
Member 4th Feb, 2011 16:56
Ranking: 7
Posts: 51
User Since: 4th Feb, 2011
System Score: N/A
Location: DE
Last edited on 4th Feb, 2011 16:57

Some weeks ago a vulnerability was discovered in VLC Media Player 1.1.5.

Now, the latest version 1.1.7.0 is released. But PSI 2.0 is still pointing out that the browser plugin is unsecure. Is it realy so? Or is it a matter of updating the PSI-database?

Thanks
klaus

mogs RE: VLC 1.1.7.0 Browser PlugIn
Expert Contributor 5th Feb, 2011 10:09
Score: 2265
Posts: 6,266
User Since: 22nd Apr 2009
System Score: 100%
Location: UK
Hello.
Below is a copy/extract of a softpedia article which may set your mind at rest :-
Critical Vulnerability Fixed in VLC 1.1.7
February 3rd, 2011, 14:11 GMT| By Lucian Constantin

The VideoLAN project has released version 1.1.7 of VLC media player in order to address a critical vulnerability which allows for arbitrary remote code execution.

The vulnerability was announced in an advisory at the beginning of this week after patches have been submitted to the VLC source code repository.

The flaw is the result of insufficient input validation in the MKV demuxer, the plugin responsible for parsing video files in Matroska or WebM format.

Dan Rosenberg of VSR (Virtual Security Research) is credited with discovering and reporting it to the VLC developers on January 26.

Exploitation involves tricking users into opening a maliciously crafted MKV file. The file can be stored on the local hard drive or a network share.

Web-based attacks leveraging this vulnerability are also possible thanks to the VLC Internet Explorer ActiveX control or the Firefox plugin.

Such attacks, known as drive-by downloads, are usually transparent to the victims and can be launched from legit compromised websites.

Fortunately, the VLC Mozilla plugin is not installed by default, so chances are that only a small percentage of Firefox users have it deployed.

People are advised to install the latest version as soon as possible, but patches for older variants are also available in the Git repository as well.


You can read more at :-http://news.softpedia.com/news/Critical-Vulnerabil...

So it is very probable that Secunia detection rules are to be updated.
Hope this helps.......regards,

--
Was this reply relevant?
+3
-0
Anthony Wells RE: VLC 1.1.7.0 Browser PlugIn
Expert Contributor 5th Feb, 2011 12:08
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 5th Feb, 2011 12:13
Hi,

The full list of Secunia Advisories for the VLC Player can be found here in the programme's vulnerability report :-

http://secunia.com/advisories/product/25892/?task=...

The vulnerability in this SA is fixed by updating to version 1.1.6 :-

http://secunia.com/advisories/42773/

The vulnerability in this SA is fixed by updating to version 1.1.7 ;-

http://secunia.com/advisories/43131/

Applying these will show you as fully patched and "secure" by the PSI .

This vulnerability , which only applies to the Mozilla/Firefox plug-in , is NOT shown as being patched in this SA ; even though the plug-in is not installed by default :-

http://secunia.com/advisories/41810/

Due to the way the PSI detection rules reads the VLC programme , it will show all browsers as being "insecure/no solution" in the "secure browsing" module of the PSI ; this is a known bug and has been discussed at length in several threads . This status will not change until/unless the Mozilla plug-in insecurity is fixed in the Player or the Player's method of incorporating the plug-in(s) changes .

Hope that is clear .

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+1
-1

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability