[VLC Media Player] Security bug from 2010 still not fixed?

https://secunia.com/advisories/41810/

It's rated as highly critical.

 

I'd like to see more on this. I see it was tested against FF v3, but would it also work in later versions?

 

Keep your media player sandboxed/ running at low priority. No problem.

LowIL is basically made for a media player IMO, all they need to do is read and reads aren't restricted.

 

I'm not concerned about myself. I'm just wondering why the security bug was never fixed?

@ dw426

Like you, I don't know if it will work against newest Firefox versions, but considering the issue is not with Firefox but with VLC, maybe all it would be required is a bit of imagination and make it work on newest FF versions, if needed.

My guess is as good as yours...

 

Because most people don't care about security and most programmers don't give it a thought.

If every program ran in their own sandbox and protected mode ala IE we'd have a much easier time.

 

In this thread : -http://forum.videolan.org/viewtopic.php?f=14&t=87737&p=294689&hilit=sa41810#p294689-

it is said that the developer/maintainer for their browser plug-ins had left VLC project some time ago, and the bug seems to remain unpatched.
I was wondering the same question as you asked myself a while back. Seems strange to still not be fixed.

 

I'm confused. Don't the respective plugins get updated with main release? Or are these plugins controlled by a completely different "department" of devs/volunteers? I'd hate to sit here and realize these plugins haven't been touched in 3 years. Luckily most things on the web are now Flash-based, so I've yet to actually need the plugin.

 

It should also be said that VLC's plugin isn't installed by default; the user needs to select it to install it.

Generally speaking, it would be far more worse if it was a bug in VLC's activex, which is installed by default.

Nonetheless, one has to wonder what's taking this long to patch it. Is it really because of what user Dermot7 pointed us to?

If they lack a developer, then perhaps they should take the plugin away? I mean, if you can't fix it, don't provide it.

It's not like VLC's plugin is as useful as Flash Player as you said, anyway. I'm also yet to see a web site complain about a media player plugin.

 

Don't install the plugin and you're fine, there's really no reason to do so unless you take joy in expanding your browsers attack surface.