October 27, 2016

MKV Vulnerability Discovered in VLC Player

VLC Media PlayerWith V1.1.6 of the VideoLAN player (VLC) fresh out the door, Dan Rosenberg of Virtual Security Research has now reported a new vulnerability in the media player, this time in the MKV (Matroska or WebM) decoder. According to Security Advisory 1102 there is insufficient input validation in the MKV demuxer which means that a specially crafted file could be created allowing a malicious third party to execute arbitrary code.

The workarounds are a) not to open any untrusted video files using the MKV format or b) delete the MKV demuxer plugin (libmkv_plugin.*) from the VLC plugin installation directory. A proper fix will come with the release of VLC media player 1.1.7.

The fix for V1.1.7 is already in the VLC source repository but it will be a while (hopefully not too long) before the official binary release.