New critical vulnerability in VLC Media Player
Update 1.1.6, released just last week, fixed a critical vulnerability in the VideoLAN project's VLC Media Player. Now the project has reported a new vulnerability which could be exploited using specially crafted MKV (Matroska Video and WebM) films to inject malicious code onto a system and execute that code with the user's privileges. All versions up to and including 1.1.6 are affected.
The root of the problem lies with insufficient input validation in the MKV demuxer plugin (libmkv_plugin.*). The update consists of swapping a single line within a macro. The change has already found its way into the Git repository, but currently no further. An official update, version 1.1.7, is expected to be released shortly.
Alternatively, the developers recommend manually deleting the plugin in question from the installation directory. As MKV is a very common HD video format, an update might be a better solution.
Update (02-02-11): The VideoLAN project has now released VLC 1.1.7 to fix the vulnerability.