Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Does VLC Player 1.1.8 fix SA41810 ?

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Programs

Relating to this vendor:
VideoLAN
And, this specific program:
VLC media player 1.x

This thread has been marked as locked.
klausus02 Does VLC Player 1.1.8 fix SA41810 ?
Member 26th Mar, 2011 15:03
Ranking: 7
Posts: 51
User Since: 4th Feb, 2011
System Score: N/A
Location: DE
Hi,

VideoLAN has released version 1.1.8 to fix some security issues. PSI 2.0 now
shows vlc as fixed. But still this seems not true for the firefox-plugIn. What's up? Both, vlc und the ff-plugin are pointing to the indentical .exe !

Thanks
klaus

Anthony Wells RE: Does VLC Player 1.1.8 fix SA41810 ?
Expert Contributor 26th Mar, 2011 16:18
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

This problem is discussed after every update ; if Secunia do not show the Ff plug_in as patched (they do not work on the PSI at weekends , so wait a few days) then likely is that it is not . The download of 1.1.8 still shows the plug-in as not default during installation .

You can find all the other earlier threads on this subject by clicking the blue "VLC media player 1.x" link at the upper right on this page ; it gives you all the available info :-

http://secunia.com/community/forum/?forum=2&vendor...

Take care

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
klausus02 RE: Does VLC Player 1.1.8 fix SA41810 ?
Member 1st Apr, 2011 13:43
Score: 7
Posts: 51
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Nice answer.

BUT! Today, I uninstalled vlc 1.1.8 and restarted my XP-system.
Then I let PSI do a complete scan: no vlc detected, no ff-vlc-plugin detected.
As expected. Then I reinstalled vlc WITHOUT the plugIn.

Result: PSI shows the vlc-plugin installed again as unsecure allthough it is defenitely not installed!

Explanation? Is it possible at all to install vlc without PSI assuming that the plugin as installed? It looks like some sort of bug in PSI 2.0.

Perhaps, the plugin of vlc 1.1.8 isn't unsecure anymore. How reliable is PSI in this case?

Thanks
Klaus
Was this reply relevant?
+0
-0
Anthony Wells RE: Does VLC Player 1.1.8 fix SA41810 ?
Expert Contributor 1st Apr, 2011 13:57
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Klaus ,
If you have read all the other threads you will see that the answer is NO if the actual vulnerability has not been fixed by the vendor .

The "known bug" will remain for the dim and distant future in any version of the PSI with a "Secure Browsing" module again until the VLC player is fixed .

Nothing is 100% certain - except death and taxes - so Secunia may be unaware (doubtful) of a fix , you will need to ask the vendor whether they have fixed the Ff plug-in and if so , to let Secunia know .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
klausus02 RE: Does VLC Player 1.1.8 fix SA41810 ?
Member 1st Apr, 2011 14:05
Score: 7
Posts: 51
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Antony,

I searched the vlc-forum and found the following thread:

http://forum.videolan.org/search.php?sid=8fd45ba10...

As you can read, there is still no reply to my last post. But they think that this bug is fixed..

Thanks
Klaus
Was this reply relevant?
+0
-0
Anthony Wells RE: Does VLC Player 1.1.8 fix SA41810 ?
Expert Contributor 1st Apr, 2011 14:32
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Klaus ,

Your link takes me to a/their Forum search webpage and not to a specific thread . I have no idea what info to put into the search requests .

If they only "think" the bug is fixed would never be enough for Secunia who need confirmed/confirm-able data .

As the Ff plug-in is stlll not selected by default then I , personally , have my doubts .

Back to you to follow up with the maker , I'm afraid .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
klausus02 RE: Does VLC Player 1.1.8 fix SA41810 ?
Member 1st Apr, 2011 14:39
Score: 7
Posts: 51
User Since: 4th Feb 2011
System Score: N/A
Location: DE
Antony,

I understand your distrust.

But how can it be explaned, that PSI shows a report about the plugin although the plugin isn't installed?


Thanks Klaus

PS:

Sorry for the wrong link.
Here is the correkt one:
http://forum.videolan.org/viewtopic.php?f=14&t=877...


Was this reply relevant?
+0
-0
Anthony Wells RE: Does VLC Player 1.1.8 fix SA41810 ?
Expert Contributor 1st Apr, 2011 15:03
Score: 2384
Posts: 3,280
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 1st Apr, 2011 15:12
Klaus ,

Got it :)

Any personal "distrust" on my part is irrelevant to the SA ; I do have the VLC player loaded without the Ff plug-in enabled , so I do choose to have other Player options available to me as I never use IE .

Secunia have stated - somewhere ,*** amongst the linked threads - that the nature of the construction of the Player means that they cannot differentiate between the plug-ins , so ALL browsers , by contamination , show as insecure in the PSI "secure browsing" module .

Notwithstanding , the Secunia PSI detection rules also do not/is not able to monitor "workarounds" , so that the "default" loading option is/may also be unacceptable , whilst being of great importance to the user

Until/unless the Player bundling is changed to allow the separate detection of the plug-in by the PSI or "simply:))" the vulnerability in the Ff plug-in is fixed , there is nothing to add from me .

Take care

Anthony

***EDIT ; see Emil's reply here :-

http://secunia.com/community/forum/thread/show/737...

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability