Holes Closed in VLC Media Player

Tuesday, March 20, 2012 @ 05:03 PM gHale


Version 2.0.1 of the open source VLC Media Player includes fixes for more than 110 bugs and closes two security holes an attacker could exploit to compromise a victim’s system.

The update addresses a stack overflow in MMS support as well as a heap-based buffer overflow in Real RTSP support which, its developers said, could lead to arbitrary code execution on most systems, said VideoLAN developer Jean-Baptiste Kempf.

RELATED STORIES
‘Anonymous OS’ now Offline
Case History: Hunting a Hacker
Watch Out for Malicious Proxies
How to Stop Stuxnet’s Children

For an attack to be successful, a user must first open a specially crafted file or a malicious web site. All VLC versions, up to and including 2.0.0, suffer from the issue. Upgrading to 2.0.1 fixes these issues.

Non-security related updates in VLC 2.0.1 include the addition of support for MxPEG files and streams, decoding improvements and, on Mac OS X, the user interface is now said to be more customizable.

Other changes include limited support for Blu-ray disc menus, and fixes for MKV, HTTP Live Streaming, CDDB and UDP/RTP support, as well as various other bug fixes.

A full list of changes in the update are on the NEWS file and in the release notes. VLC 2.0.1 is available to download for Windows, Mac OS X and Linux. VLC source code and binaries are under license of GPLv2.



Leave a Reply

You must be logged in to post a comment.