September 1, 2014

VLC fixes a couple of security vulnerabilities and adds support for Retina display on the new MacBook Pro

VLC 2.0.2 “Twoflower”, which is being called “an important update”, has been released by the VLC project team to fix a series of regressions to the 2.0.x branch of VLC, to fix a couple of security vulnerabilities and to add support for Apple’s Retina Display (HiDPI) on the new MacBook Pros.

According to the release page, 2.0.2 fixes a couple of hundreds of bugs, and adds more than 500 commits on top of 2.0.1. These fixes include:

  • Fix video output for old graphic cards on Windows XP, which are using DirectX
  • Fix video output on old Macs, notably PowerPC and GMA950 intel Macs.
  • Fixes for splitted RAR, MKV segmented, mp4 and Real media files playback.
  • Fixes for subtitles auto-detection
  • Fixes on Qt, skins2 and web interfaces
  • Fixed crash when trying to open an Audio CD by drag & drop
  • Fixed a crash when attaching hard drives with multiple partitions while VLC is running

According to a blog post by VLC developer Felix Kühne, VLC 2.0.2 also includes the following security content:

  • Fixed Ogg Heap buffer overflow
  • Updated taglib (CVE-2012-2396)

CVE-2012-2396 describes how VLC 2.0.1 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a specially crafted MP4 file. More details on this can be found here where an exploit and POC are given.

More details about VLC 2.02 can be found in the release notes and it can be downloaded for Windows, Mac OS X and Linux here.

VideoLan Project Releases VLC Security Fix Release

(LiveHacking.Com) - VideoLAN and the VLC development team have released VLC 1.1.12 to fix bugs and a security issue while adding improvements to the audio output on Mac OS X and with PulseAudio.

The security issue fixed in this release is a NULL dereference vulnerability that causes a crash that occurrs when an invalid URL was processed by the HTTP and RTSP server components. If successful, a malicious third party could crash the server process, however arbitrary code execution is not believed possible.

For the vulnerability to be exploited the user has to explicitly start the HTTP web interface, HTTP output, RTSP output or RTSP VoD functions.

Other changes between 1.1.11 and 1.1.12:

  • Mac OS X / auhal: multiple fixes for the Digital Audio output (S/PDIF) including support for OS X Lion
  • Multiple fixes and improved synchronization for PulseAudio support
  • Support for AC-3 and DTS passthrough with PulseAudio 1.0
  • Fix crashes with Japanese locale on OS X
  • Minor fixes for Webplugin under Win32, AVI demuxer, smem and AudioScrobbler

VLC 1.1.12 is available for download from the project’s web site

Patch Roundup: Java, Flash, VLC, VMware, Chrome

The last few days has seen patches released for several major software packages including Java and Flash.

Java
Oracle has released patches to address several critical vulnerabilities in Java. Nine of the seventeen vulnerabilities have the highest severity rating. Affected versions are the Java Development Kit (JDK) and the Java Runtime Environment (JRE) versions 6.0 (up to and including update 25), version 5.0 (up to and including update 29) and version 1.4.2 (up to and including version 1.4.2_31) across all supported platforms.

According to the update advisory, “all of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”

VMware
VMware has released security advisory VMSA-2011-0009 to address multiple vulnerabilities in the following products:

  • VMware Workstation 7.1.3 and earlier
  • VMware Player 3.1.3 and earlier
  • VMware Fusion 3.1.2 and earlier
  • ESXi 4.1 without patch ESXi410-201104402-BG
  • ESXi 4.0 without patch ESXi400-201104402-BG
  • ESXi 3.5 without patches ESXe350-201105401-I-SG and ESXe350-201105402-T-SG
  • ESX 4.1 without patch ESX410-201104401-SG
  • ESX 4.0 without patch ESX400-201104401-SG
  • ESX 3.5 without patches ESX350-201105401-SG, ESX350-201105404-SG, and ESX350-201105406-SG

VLC
VideoLAN has released VLC Media Player 1.1.10 to address an integer overflow vulnerability in the xspf demuxer. Exploitation of this vulnerability may allow an attacker to execute arbitrary code. The release notes also mention that libmodplug has been updated for security reasons in the Windows and Mac versions.

Flash
Adobe has released the security bulletin APSB11-13 to address a vulnerability in Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux, and Solaris, and 10.3.185.22 and earlier versions for Android.

The universal cross-site scripting vulnerability (CVE-2011-2107) could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

Adobe recommends users of Adobe Flash Player 10.3.181.16 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 10.3.181.22 (10.3.181.23 for ActiveX). Adobe recommends users of Adobe Flash Player 10.3.185.22 and earlier versions for Android update to Adobe Flash Player 10.3.181.23.

And Chrome

Google has released Chrome 12 with several security fixes:

  • [$2000] [73962] [79746] High CVE-2011-1808: Use-after-free due to integer issues in float handling. Credit to miaubiz.
  • [75496] Medium CVE-2011-1809: Use-after-free in accessibility support. Credit to Google Chrome Security Team (SkyLined).
  • [75643] Low CVE-2011-1810: Visit history information leak in CSS. Credit to Jesse Mohrland of Microsoft and Microsoft Vulnerability Research (MSVR).
  • [76034] Low CVE-2011-1811: Browser crash with lots of form submissions. Credit to “DimitrisV22”.
  • [$1337] [77026] Medium CVE-2011-1812: Extensions permission bypass. Credit to kuzzcc.
  • [78516] High CVE-2011-1813: Stale pointer in extension framework. Credit to Google Chrome Security Team (Inferno).
  • [79362] Medium CVE-2011-1814: Read from uninitialized pointer. Credit to Eric Roman of the Chromium development community.
  • [79862] Low CVE-2011-1815: Extension script injection into new tab page. Credit to kuzzcc.
  • [80358] Medium CVE-2011-1816: Use-after-free in developer tools. Credit to kuzzcc.
  • [$500] [81916] Medium CVE-2011-1817: Browser memory corruption in history deletion. Credit to Collin Payne.
  • [$1000] [81949] High CVE-2011-1818: Use-after-free in image loader. Credit to miaubiz.
  • [$1000] [83010] Medium CVE-2011-1819: Extension injection into chrome:// pages. Credit to Vladislavas Jarmalis, plus subsequent independent discovery by Sergey Glazunov.
  • [$3133.7] [83275] High CVE-2011-2332: Same origin bypass in v8. Credit to Sergey Glazunov.
  • [$1000] [83743] High CVE-2011-2342: Same origin bypass in DOM. Credit to Sergey Glazunov.

Note that the referenced bugs may be kept private until a majority of Chrome users have updated.

Chrome 12.0.742.91 also includes a number of new features including:

  • Hardware accelerated 3D CSS
  • New Safe Browsing protection against downloading malicious files
  • Ability to delete Flash cookies from inside Chrome
  • Launch Apps by name from the Omnibox
  • Integrated Sync into new settings pages
  • Improved screen reader support
  • New warning when hitting Command-Q on Mac
  • Removal of Google Gears

VLC 1.1.9 Fixes MP4 Demultiplexer Vulnerability

The VideoLAN project team have released VLC 1.1.9, just two weeks after the release of V1.1.8, to fix two important security flaws. As we reported here and here, two vulnerabilities have been found in VLC recently, one in the libmodplug plugin and the other in the MP4 demultiplexer. In both cases an attacker would have needed to convince a user to open a specially craft file to exploit the weaknesses.

According to the CHANGELOG V1.1.9 is a minor release, focused on security issues and bugfixes:

  • Fix a heap corruption in MP4 demultiplexer
  • Update of libmodplug in binaries to fix a security issue
  • Many OS X layout and look fixes
  • Update of translations and scripts

VLC is a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols. V1.1.9 can be downloaded here.

VLC Media Player MP4 Heap Corruption Vulnerability

Yesterday we reported on a vulnerability in libmodplug which is used by media players like VLC and Gstreamer, today it has been revealed that there is another vulnerability in VLC, this time a heap corruption in the MP4 demultiplexer. All versions of the VLC media player from V1.0.0 to the current V1.1.8 are affected.

According to the advisory, when VLC parses some MP4 (MPEG-4 Part 14) files, an insufficient buffer size might lead to corruption of the heap. If successful, it is not yet known if a malicious third party might be able to trigger execution of arbitrary code. However successful exploitation of this bug can crash the media player.

As with the libmodplug issue reported yesterday, exploitation of this issue requires the user to explicitly open an MP4 file with specially crafted content. The workaround, until VLC media player 1.1.9 is released is to not open MP4 files from untrusted third parties or accessing untrusted remote sites. Alternatively, the MP4 decoder plugin (libmp4_plugin.*) can be removed manually from the VLC plugin installation directory.

Libmodplug Exposes VLC Media Player to Code Execution Vulnerability

SEC Consult has discovered a vulnerability in the libmodplug library which is used by media players such as VLC and Gstreamer. As a result the current binary versions of the VLC Media Player are susceptible on Windows and OS X.

As a result of the problem in libmodplug (v0.8.8.1 of libmodplug, which was the most recent version at the time of the discovery), Secunia has issued an advisory for VLC Media Player users. Due to a bug, the libmodplug library is prone to stack based buffer overflow attacks because of insufficient validation of user supplied data. An attacker is able to execute arbitrary code, with the user’s privileges, when opening malicious S3M media files.

The only way a hacker can launch this attack is by tricking a user into opening a specially crafted S3M file. Therefore, as a temporary workaround until an official fix of VLC is released, do not open untrusted *.S3M files.

For those who want to re-build VLC from source, an updated version of libmodplug is available here.

VLC Media Player 1.1.8 Addresses Vulnerabilities with .AMV and .NSV Files

The VideoLAN project has released VLC Media Player 1.1.8 to address two vulnerabilities in the handling of .AMV and .NSV files. These vulnerabilities could be exploited by a remote attacker to obtain arbitrary code execution with the privileges of the user running VLC.

V1.1.8 also adds some minor new functionality including an update to the look and feel of the OS X version:

  • Support for a new Dirac encoder based on libschroedinger
  • Package of the new VP8/Webm encoder ‘Bali’
  • Notable updates in .mp4, .ogg, .ape demuxers
  • Major updates in most language translations

VLC 1.1.7 was downloaded 50 million times and VLC 1.1.8 can be downloaded here.

VLC Releases V1.1.7 To Plug MKV Vulnerability

VLC Media PlayerThe VideoLAN project team have released V1.1.7 of VLC which closes the hole in the MKV demuxer which was discovered a few days ago. This is the eighth release of the 1.1.x branch of VLC and as well as fixing the MKV problem it also fixes some other minor issues and updates some translations.

The original problem which is detailed in Security Advisory 1102 revolves around a lack of input validation in the MKV demuxer which means that a specially crafted file could be created allowing a malicious third party to execute arbitrary code.

All users of VLC, which is available for OS X, Windows, Linux, should upgrade.

MKV Vulnerability Discovered in VLC Player

VLC Media PlayerWith V1.1.6 of the VideoLAN player (VLC) fresh out the door, Dan Rosenberg of Virtual Security Research has now reported a new vulnerability in the media player, this time in the MKV (Matroska or WebM) decoder. According to Security Advisory 1102 there is insufficient input validation in the MKV demuxer which means that a specially crafted file could be created allowing a malicious third party to execute arbitrary code.

The workarounds are a) not to open any untrusted video files using the MKV format or b) delete the MKV demuxer plugin (libmkv_plugin.*) from the VLC plugin installation directory. A proper fix will come with the release of VLC media player 1.1.7.

The fix for V1.1.7 is already in the VLC source repository but it will be a while (hopefully not too long) before the official binary release.

Critical Vulnerabilities Found and Fixed in VLC Player but Opera Web Browser Not so Lucky Yet

Opera LogoTwo critical heap corruption vulnerabilities have been discovered in the
rarely used decoder for the CDG format in the VLC player. These index validation bugs could theoretically allow a maliciously crafted CDG video to corrupt the heap in a deliberate manner and potentially execute injected code.

As a response to these bugs, and a problem with the Real demuxer which could allow a remote denial of service attack, VLC V1.1.6 has been released. Other changes in V1.1.6 include faster Webm/VP8 decoding.

V1.1.5 of VLC was downloaded 58 million times since its release two months ago and the fixes are for potential exploitable vulnerabilities although no actual practical exploits have been documented. This can’t be said however for the Opera Web browser.

Back in January a bug report was posted by Jordi Chancel which identified a vulnerability in Opera’s handling of a HTML “select” element containing an overly large number of children. This bug could be exploited by remote attackers to take complete control of a vulnerable system.

It now appears that VUPEN have succeeded in using this exploit to inject and execute code. This now means that specially crafted web pages could exploit this vulnerability and infect Windows systems with malware. The bug has been confirmed in Opera 11.00 and earlier and 10.63 and earlier for Windows 7 and XP SP3. At present there’s no patch or update for the problem.