Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: VLC - Program versus plug-in

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
Midnight_Voice VLC - Program versus plug-in
Member 16th Jun, 2011 18:22
Ranking: 50
Posts: 89
User Since: 1st Oct, 2010
System Score: 96%
Location: UK
I have VLC as vlc.exe version 1.1.10.0. PSI thinks this is OK, vis-a-vis Advisory SA44412.

I also have VLC as a plug-in in Safari, IE8, and FF 4.0.1. Under Secure Browsing, PSI thinks these are not OK, vis-a-vis Advisory SA41810.

Unlike the thread hanging off these advisories, which has got rather intemperate, I am happy to take this discrepancy at face value - VLC have fixed the program, but not fixed their plugins, which are not quite the same, fair enough.

However, when I double-click one of these plugins, I get a display which refers to vlc.exe, says it's OK, refers to SA44412.

It's wrong that that's what happens, isn't it?


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz

wr RE: VLC - Program versus plug-in
Contributor 16th Jun, 2011 21:10
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
Hi Midnight Voice

This subject of VLC Player & the plug-in for Mozilla
has been beat to death here. If you do a search of VideaLAN/VLC Player on the Forum
you'll find 2 pages of posts that stretch back
almost a year. The posts' really do make for a good read
& answer most all questions regarding this 'problem'.
This vulnerability in the plug-in goes back
to 2008 so it's nothing new.

I'm not going to provide a synopsis here-just read the posts & draw your own conclusion(s). I did
& uninstalled the VLC media player.

Can't wait for Anthony Wells to see, read, & comment.

Hope this helps.

Regards, wr

--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC - Program versus plug-in
Expert Contributor 16th Jun, 2011 23:37
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 16th Jun, 2011 23:39
Ah Hah , bonsoir M_V and wr ,

I'm here O Great Silver One and now that the full moon has passed the eclipse , my fangs are bared and bloody .

Actually the point is simple , the .exe complies with SA44412 and in "Scan Recults" is as patched as you can get , as per Secunia definitions .

Equally , as the OGSO is au fait (moi aussi) after due diligence of some two years of n'importe quoi , then as the PSI cannot separate the plug_in options the .exe is displayed in "secure browsing" and if it is double clicked it returns to the "Scan Results" splash window and is secure ; with the proviso , that if you click the blue SA41810 to the right end of the entry you get the outstanding plug-in "insecurity" detailed by display of the SA in your default browser . If you happen to have IE 8 installed you can get the same effect for it's everlasting "bug" !!

P ***** , Good job the French don't swear like the Anglo Saxons , M**** . So , Zut Alors , j'espère le sujet est complètement mort maintenant , sinon ...

Bonsoir and keep a watch out behind you M_V , OGSO is self protecting :))

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Midnight_Voice RE: VLC - Program versus plug-in
Member 16th Jun, 2011 23:55
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 16th Jun, 2011 23:37, Anthony Wells wrote:
Ah Hah , bonsoir M_V and wr ,

I'm here O Great Silver One and now that the full moon has passed the eclipse, my fangs are bared and bloody.

Actually the point is simple , the .exe complies with SA44412 and in "Scan Results" is as patched as you can get , as per Secunia definitions .

Equally , as the OGSO is au fait (moi aussi) after due diligence of some two years of n'importe quoi , then as the PSI cannot separate the plug_in options the .exe is displayed in "secure browsing" and if it is double clicked it returns to the "Scan Results" splash window and is secure; with the proviso that if you click the blue SA41810 to the right end of the entry, you get the outstanding plug-in "insecurity" detailed by display of the SA in your default browser. If you happen to have IE 8 installed you can get the same effect for its everlasting "bug" !!

P ***** , Good job the French don't swear like the Anglo Saxons , M**** . So , Zut Alors , j'espère le sujet est complètement mort maintenant , sinon ...

Bonsoir and keep a watch out behind you M_V , OGSO is self protecting :))

Anthony


Do I detect a note of hysteria here, based on this long-running discrepancy? :-)

And I'm not sure if OGSO refers to the issue in general, or some dangerous arcana possessed (what a suitable word!) by wr....

But as I said, I'm happy to believe the exe is safe, and the plug-in isn't. Simples, non?

And you have put your finger on the issue. PSI, inexplicably, can perfectly well tell the plug-in from the .exe when it comes to the Secure Browsing display, but can't distinguish them when you click on it.

Ho hum. Looks like something that needs to be remedied tout suite (to continue the trend into the parlance of the CESMs).

M_V (now with the precaution of wing mirrors as outriders on my trendy shades, and under the protection of local dignitary Mayor Dalors)

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC - Program versus plug-in
Expert Contributor 17th Jun, 2011 00:13
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A
Last edited on 17th Jun, 2011 00:16
Hi ,

I was tempted to use the word "simples" myself ; glad I didn't , saves embarrassment .

The whole point of the n'importe quoi and to which you add shovels full is that the PSI rules and VLC bundling prevent individual plug-in detection at all times and in all events , so any installation of the VLC Player , with whatever configuration , is considered as "insecure/no solution" and not safe for browsing !! SIMPLES!! Click the SA not the entry .

Like OGSO says , do your reading and I suggest add some silver bullets "tout de suite" to your ear wings in the interim .

Behind you .

Anthony



--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0
Midnight_Voice RE: VLC - Program versus plug-in
Member 17th Jun, 2011 00:58
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 17th Jun, 2011 00:13, Anthony Wells wrote:
Hi ,

I was tempted to use the word "simples" myself ; glad I didn't , saves embarrassment .

The whole point of the n'importe quoi and to which you add shovels full is that the PSI rules and VLC bundling prevent individual plug-in detection at all times and in all events , so any installation of the VLC Player , with whatever configuration , is considered as "insecure/no solution" and not safe for browsing !! SIMPLES!! Click the SA not the entry .

Like OGSO says , do your reading and I suggest add some silver bullets "tout de suite" to your ear wings in the interim .

Behind you .

Anthony


Life's too short :-(

If I read you aright, you seem to be implying that because there was once a VLC that wasn't safe, and because PSI, for some reason, doesn't/can't detect what the plug-in's version actually is, it errs on the side of caution and says the plug-in isn't safe, even though it might perfectly well be.

OTOH, wr has chosen to uninstall VLC - not just as a plug-in, but everywhere it seems - on the grounds that it is never safe.

Does not compute.

Now please excuse me while I eat this delicious meal of Spanish cucumber and German bean sprouts :-)

M_V


--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
wr RE: VLC - Program versus plug-in
Contributor 17th Jun, 2011 01:20
Score: 308
Posts: 736
User Since: 30th Mar 2008
System Score: 100%
Location: US
Hi M_V

The reason I uninstalled VLC was because I
have Ff as my default browser & only use Internet Exploder when Ff fails
that means usually just to do Windoze Updates.
Since Windoze Media Player is a bundled program
why take the risk with the vulnerable VLC plug-in
for Ff?

Enjoy your meal as I'm about to do the same.

Until next time.

Regards, wr


--
HP Pavilion Slimline s3020n
Windows Vista Home Premium SP2 32 bit
AMD 64 Athlon X2
Firefox 24.4.0 ESR
The weakest link of a computer system is always sitting in front of the monitor.
Was this reply relevant?
+0
-0
Midnight_Voice RE: VLC - Program versus plug-in
Member 17th Jun, 2011 01:50
Score: 50
Posts: 89
User Since: 1st Oct 2010
System Score: 96%
Location: UK
on 17th Jun, 2011 01:20, wr wrote:
Hi M_V

The reason I uninstalled VLC was because I
have Ff as my default browser & only use Internet Exploder when Ff fails
that means usually just to do Windoze Updates.
Since Windoze Media Player is a bundled program
why take the risk with the vulnerable VLC plug-in
for Ff?

Enjoy your meal as I'm about to do the same.

Until next time.

Regards, wr


Ah yes, I understand. And I do the same as you - FF for everything except Windoze updates, and a couple of sites where FF gets it wrong (Sony local dealer popover and some Tesco Online basket amendment issue - both reported via the FF link for that, but no satisfaction yet) where I use IE8 under protest.

But I have video files that WMP is not at all happy with - dropped frames, sound goes out of sync, won't play at all, can't see the alternative English soundtrack and insists on playing the file in Italian, shows the subtitles only in the Wingdings font - that sort of thing. Whereas VLC plays them perfectly.

Hence I need to keep VLC around. But I shall take care to exercise caution with it, and keep my Avast up to date...

Cheers

M_V

--
A computer program can do pretty much anything the user doesn't know is impossible for it to do.

XP Home 32-bit - Compaq Presario V2000 Celeron 1.4GHz
Vista Ultimate 32-bit - Toshiba Equium A100 Centrino Duo 1.7GHz
Windows 7 Ultimate 64-bit - Dell Studio XPS 1645 Core i7-720 Quad 1.6-2.4GHz
(Also running XP Pro in Windows XP Mode 32-bit)
Windows 8.1 Home Premium 64-bit - Lenovo IdeaPad Z500 Core i5 2.6Ghz
Was this reply relevant?
+0
-0
SimonPhilips RE: VLC - Program versus plug-in
Member 17th Jun, 2011 14:13
Score: 0
Posts: 1
User Since: 17th Jun 2011
System Score: N/A
Location: US
I have my VLC also and so far got no problems using them with my other plugins :)

--
http://keywestmls.com/
Was this reply relevant?
+0
-0
Anthony Wells RE: VLC - Program versus plug-in
Expert Contributor 17th Jun, 2011 15:36
Score: 2437
Posts: 3,324
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hi ,

This thread is now likely to clog up with tag-ons and fill my mail box with spam , so I will unsubscribe ; over to you M_V .

There are options to VLC , I have MPC Home Cinema and DivX plugged in ; just don't go on line in Ff with the VLC Player Ff plug-in loaded and be sure of the origin of your files ; in fact , be absolutely sure of their provenance whatever player is being used :-

http://www.techsupportalert.com/best-free-windows-...

Glad your eating well OGSO .

Simon , FYI the Firefox plug-in is "insecure" , is unlikely to be fixed in my lifetime and should be avoided ; hence it it is not selected for installation by default in the install process of the VLC Player . Just because you ain't been bitten yet is nothing whatsoever to go by , believe me .

Bi y'all .

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+0
-0

This thread has been marked as locked.


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability