Security update for VLC media player
A new version of the VLC media player fixes a critical vulnerability in the Windows version located in the ActiveX control DLL (axvlc.dll) for Internet Explorer. Because of inadequate parameter checking, a malicious website could use the vulnerability to overwrite memory zones and execute arbitrary code.
Versions from 0.8.6 up to and including 0.8.6c are affected, although versions prior to 0.8.6 are not vulnerable. Version 0.8.6d fixes the bug and pre-compiled binaries are already available for download from the VLC website. Alternatively, users could switch to Mozilla-based browsers such as Firefox and Seamonkey and use the appropriate VLC plugin.
See also:
- Recursive plugin release vulnerability in Active X plugin, vulnerability report from VLC
- VLC ActiveX Bad Pointer Initialization Vulnerability, vulnerability report from Core Security (Warning: the proof of concept code include may generate a virus alert.)
(ehe)