Thursday, April 22, 2010

VLC Media Player Multiple Vulnerabilities
UPDATE!

UPDATE!

Hey kids. I found that in April some terrific folks on the Mac side of the VLC project have gotten things going again and have provided an update past VLC v1.0.5. You can download the lastest version of VLC at the source page for VLC media player Mac OS X Intel nightly builds. (Sorry PPC users, you are SOL).

Be sure to read the notes at the top of page very carefully! What you probably want is the latest version of the 1.0-branch-intel stable series. Ignore the gibberish numbers in the file names. When you see '107' in the name it does NOT mean 'version 1.0.7'. ATM the latest version is v1.0.6.
~~~~~~~~~~~~
Original Article:
~~~~~~~~~~~~


This is potentially a big problem:

VLC Media Player v1.0.5 (and earlier) has been found to have multiple vulnerabilities. And there is almost NO chance on a Mac OS X version 1.0.6 update at this time. Therefore, to be ultra-super-mondo-├╝ber-safe, you can't use VLC any more. And that's bad.

Here is Secunia's announcement.

You can subscribe to Secunia's Weekly Summary email newsletter HERE.

You can access the ongoing 'Vulnerability Report: Apple Macintosh OS X' HERE.

Now for the naughty bits:
Description
Some vulnerabilities have been reported in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system.

1) An error in the A/52 audio decoder can be exploited to cause a heap-based buffer overflow.

2) An error in the DTS audio decoder can be exploited to cause a heap-based buffer overflow.

3) An error in the MPEG audio decoder can be exploited to cause a heap-based buffer overflow.

4) An error in the AVI demuxer can be exploited to trigger an access to invalid memory.

5) An error in the ASF demuxer can be exploited to trigger an access to invalid memory.

6) An error in the Matroska demuxer can be exploited to trigger an access to invalid memory.

7) An error when processing XSPF playlists can be exploited to trigger an access to invalid memory.

8) An error in the ZIP implementation can be exploited to trigger an access to invalid memory.

9) An error in the RTMP implementation can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

The vulnerabilities are reported in versions prior to 1.0.6.

Solution
Update to version 1.0.6.
Quick summary: Trojan horse files that are compatible with VLC can be used to access your computer's RAM and do bad things. Therefore, don't be a LUSER. Verify that any file you play in VLC is from a legitimate, reliable source.

For example, stuff from questionable BitTorrent sites does not qualify as safe. BitTorrent rips are a great way to get infected. That's where the one (and only) verified Mac BotNet came from: Three cracked Mac apps offered at BitTorrent sites turned out to be Trojan bots that zombied well over 10,000 Macs, employing them in a documented DDOS attack. The Trojans are formally known as Trojan.OSX.iServices.A-C. (You can read about this Trojan in previous posts).

So why no VLC v1.0.6 update for Mac?! Because there has been a long term derth of Mac OS X developers participating in the open source VLC project. You can read more about this dilemma HERE. You can sign up for the VLC RSS feed using this LINK. Of interest: There will be no v1.0.6 for Windows either, for different reasons.

Thankfully, there is an ongoing 'next generation' project of VLC for Mac called 'Lunettes' that you can follow HERE and HERE. This project is also asking for Mac developers. There is no public release version at this time.

What's so great about VLC? It allows Mac users to play a variety of media that Apple does not support via QuickTime or iTunes. Example: FLAC. This free, Open Source lossless compression audio format is ubiquitous on the Internet, and Apple provides no support, which is of course insane. There are many other examples of great functionalities provided by VLC. I consider VLC to be required software on my Macs. There are alternatives to VLC for some purposes, but no other application provides its feature set in one package. Let's hope the Lunettes project is a success.



For those concerned:

Please note that I post Mac-specific vulnerability information because just about no one else does. These posts help fend off the troll hate-abuse-lie rants and FUD mongering that claim that Mac users are computer security illiterate.

No comments:

Post a Comment