Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

VLC Vulnerability HTML and code


  • Please log in to reply
3 replies to this topic

#1 czarboom

czarboom

  • Members
  • 608 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Central Texas
  • Local time:03:27 AM

Posted 08 July 2014 - 01:41 AM

http://www.securityfocus.com/bid/57079?
VLC has a HTML and other code issues.
Reported by Security Focus
CZARBOOM 
 
"Never Stop Asking Questions, Question Your Environment, Question Your Government, above all Question Yourself.  We all lose when you Stop asking Why?

BC AdBot (Login to Remove)

 


m

#2 Chris Cosgrove

Chris Cosgrove

  • Moderator
  • 5,959 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:08:27 AM

Posted 08 July 2014 - 07:43 PM

The current version of the VLC player is 2.1.3 (Rincewind) which is not on that list.

 

Yet another argument for keeping software up to date ?  Still it is nice to see there are other Disc World fans out there. Ankh Morpork rules !

 

Chris Cosgrove



#3 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:27 AM

Posted 11 July 2014 - 10:45 AM

is this vulnerability eliminated by disabling vlc plugins in the browser? or can you be attacked just by playing offline video files (as stored on dvd or harddrive) through vlc?


Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#4 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,680 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:09:27 AM

Posted 11 July 2014 - 05:03 PM

Hi,

it seems that the vulnerability is from 2012/2013. The report linked says:

Versions prior to VLC Media Player 2.0.5 are vulnerable.


So if you have any more recent VLC version you're fine.

Given the title of the vulnerability (and not much more since there's no documentation on it), it's more likely to be a problem with subtitles. These are usually stored in files ending in .srt and use a html-like formatting.
If you execute such a file with an old version of VLC another exectuable might be launched. Though, from the report no abuse of this vulnerability has been reported yet.

regards
myrti
If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!


Follow BleepingComputer on: Facebook | Twitter | Google+




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users