Secunia
Login
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Thread: Does VLC Player 1.1.8 fix SA41810 ?
You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.This thread was submitted in the following forum:
Programs
|
Relating to this vendor: VideoLAN |
And, this specific program: VLC media player 1.x |
| klausus02 | Does VLC Player 1.1.8 fix SA41810 ? |
|---|---|
 |
26th Mar, 2011 15:03 |
|
Ranking: 7 Posts: 50 User Since: 4th Feb, 2011 System Score: N/A Location: DE |
Hi, VideoLAN has released version 1.1.8 to fix some security issues. PSI 2.0 now shows vlc as fixed. But still this seems not true for the firefox-plugIn. What's up? Both, vlc und the ff-plugin are pointing to the indentical .exe ! Thanks klaus |
| Anthony Wells | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
26th Mar, 2011 16:18 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A |
Hi , This problem is discussed after every update ; if Secunia do not show the Ff plug_in as patched (they do not work on the PSI at weekends , so wait a few days) then likely is that it is not . The download of 1.1.8 still shows the plug-in as not default during installation . You can find all the other earlier threads on this subject by clicking the blue "VLC media player 1.x" link at the upper right on this page ; it gives you all the available info :- http://secunia.com/community/forum/?forum=2&vendor... Take care Anthony -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| klausus02 | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 13:43 | ||||||||
| Score: 7 Posts: 50 User Since: 4th Feb 2011 System Score: N/A Location: DE |
Nice answer. BUT! Today, I uninstalled vlc 1.1.8 and restarted my XP-system. Then I let PSI do a complete scan: no vlc detected, no ff-vlc-plugin detected. As expected. Then I reinstalled vlc WITHOUT the plugIn. Result: PSI shows the vlc-plugin installed again as unsecure allthough it is defenitely not installed! Explanation? Is it possible at all to install vlc without PSI assuming that the plugin as installed? It looks like some sort of bug in PSI 2.0. Perhaps, the plugin of vlc 1.1.8 isn't unsecure anymore. How reliable is PSI in this case? Thanks Klaus |
||||||||
|
|||||||||
| Anthony Wells | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 13:57 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A |
Klaus , If you have read all the other threads you will see that the answer is NO if the actual vulnerability has not been fixed by the vendor . The "known bug" will remain for the dim and distant future in any version of the PSI with a "Secure Browsing" module again until the VLC player is fixed . Nothing is 100% certain - except death and taxes - so Secunia may be unaware (doubtful) of a fix , you will need to ask the vendor whether they have fixed the Ff plug-in and if so , to let Secunia know . Anthony -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| klausus02 | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 14:05 | ||||||||
| Score: 7 Posts: 50 User Since: 4th Feb 2011 System Score: N/A Location: DE |
Antony, I searched the vlc-forum and found the following thread: http://forum.videolan.org/search.php?sid=8fd45ba10... As you can read, there is still no reply to my last post. But they think that this bug is fixed.. Thanks Klaus |
||||||||
|
|||||||||
| Anthony Wells | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 14:32 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A |
Klaus , Your link takes me to a/their Forum search webpage and not to a specific thread . I have no idea what info to put into the search requests . If they only "think" the bug is fixed would never be enough for Secunia who need confirmed/confirm-able data . As the Ff plug-in is stlll not selected by default then I , personally , have my doubts . Back to you to follow up with the maker , I'm afraid . Anthony -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
| klausus02 | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 14:39 | ||||||||
| Score: 7 Posts: 50 User Since: 4th Feb 2011 System Score: N/A Location: DE |
Antony, I understand your distrust. But how can it be explaned, that PSI shows a report about the plugin although the plugin isn't installed? Thanks Klaus PS: Sorry for the wrong link. Here is the correkt one: http://forum.videolan.org/viewtopic.php?f=14&t=877... |
||||||||
|
|||||||||
| Anthony Wells | RE: Does VLC Player 1.1.8 fix SA41810 ? | ||||||||
|
|
1st Apr, 2011 15:03 | ||||||||
| Score: 2324 Posts: 3,203 User Since: 19th Dec 2007 System Score: N/A Location: N/A Last edited on 1st Apr, 2011 15:12 |
Klaus , Got it :) Any personal "distrust" on my part is irrelevant to the SA ; I do have the VLC player loaded without the Ff plug-in enabled , so I do choose to have other Player options available to me as I never use IE . Secunia have stated - somewhere ,*** amongst the linked threads - that the nature of the construction of the Player means that they cannot differentiate between the plug-ins , so ALL browsers , by contamination , show as insecure in the PSI "secure browsing" module . Notwithstanding , the Secunia PSI detection rules also do not/is not able to monitor "workarounds" , so that the "default" loading option is/may also be unacceptable , whilst being of great importance to the user Until/unless the Player bundling is changed to allow the separate detection of the plug-in by the PSI or "simply:))" the vulnerability in the Ff plug-in is fixed , there is nothing to add from me . Take care Anthony ***EDIT ; see Emil's reply here :- http://secunia.com/community/forum/thread/show/737... -- It always seems impossible until its done. Nelson Mandela |
||||||||
|
|||||||||
