September 29, 2016

VLC Releases V1.1.7 To Plug MKV Vulnerability

VLC Media PlayerThe VideoLAN project team have released V1.1.7 of VLC which closes the hole in the MKV demuxer which was discovered a few days ago. This is the eighth release of the 1.1.x branch of VLC and as well as fixing the MKV problem it also fixes some other minor issues and updates some translations.

The original problem which is detailed in Security Advisory 1102 revolves around a lack of input validation in the MKV demuxer which means that a specially crafted file could be created allowing a malicious third party to execute arbitrary code.

All users of VLC, which is available for OS X, Windows, Linux, should upgrade.

MKV Vulnerability Discovered in VLC Player

VLC Media PlayerWith V1.1.6 of the VideoLAN player (VLC) fresh out the door, Dan Rosenberg of Virtual Security Research has now reported a new vulnerability in the media player, this time in the MKV (Matroska or WebM) decoder. According to Security Advisory 1102 there is insufficient input validation in the MKV demuxer which means that a specially crafted file could be created allowing a malicious third party to execute arbitrary code.

The workarounds are a) not to open any untrusted video files using the MKV format or b) delete the MKV demuxer plugin (libmkv_plugin.*) from the VLC plugin installation directory. A proper fix will come with the release of VLC media player 1.1.7.

The fix for V1.1.7 is already in the VLC source repository but it will be a while (hopefully not too long) before the official binary release.