MyCERT Advisories
MyCERT Advisories, Alerts and Summaries for the year 2011
Bookmark and Share

MA-283.072011 : MyCERT Alert – Multiple Critical Vulnerabilities in VideoLAN Client (VLC) Media Player

Date of publication: 2011-07-15

1.0 Introduction

Multiple critical vulnerabilities (CVE-2011-2587 and CVE-2011-2588) have been identified in VideoLAN Client (VLC) Media Player version 1.1.10 and below. The vulnerability exists in the Real Media file parser [1] and AVI file parser [2] of VLC.

2.0 Impact

An attacker who successfully exploits these vulnerabilities will be able to execute codes remotely and gain the same privilege as the user. Unsuccessful attacks may cause denial-of-service (DoS) outcomes.

3.0 Affected Products

VLC media player 1.1.10 and earlier

4.0 Recommendation

  • 4.1 Update to the latest version of VLC Media Player (1.1.11)

  • 4.2 Users who unable to perform the update are recommended to refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

MyCERT would like to advise the users to be vigilant of the latest security announcements by the vendors and ensure that their applications are updated.

Users may also consider using a vulnerability management tool such as Secunia to ensure that all applications are updated:
http://secunia.com/vulnerability_scanning/personal/

MyCERT can be reached through the following channels for further assistance:

E-mail : mycert@mycert.org.my
Phone : 1-300-88-2999 (monitored during business hours)
Fax : +603 89453442
Handphone : +60 19 2665850 (24x7 call incident reporting)
SMS : CYBER999 REPORT to 15888
Business Hours : Mon - Fri 08:30 -17:30 MYT
Web: http://www.mycert.org.my

5.0 References

i. http://www.videolan.org/security/sa1105.html
ii. http://www.videolan.org/security/sa1106.html