Hole in VLC Media Player
Virtual Security Research (VSR) has identified a vulnerability in VLC Media Player. In versions up to and including 1.1.5 of the VLC Media Player, specially crafted files can be used to inject code that will trigger a buffer overflow in the demultiplexer used for Real Media format files.
Potential victims need to explicitly open such a specially crafted file. Users have, therefore, been advised not to open files from unknown sources until the media player has been patched. As an alternative, the Real demuxer plug-in (libreal_plugin.*
) can be removed from the VLC plugin directory. VLC Media Player 1.1.6 is said to be immune to the problem, but the Videolan developers have not yet released this version for Windows.
(ehe)