New critical vulnerability in VLC Media Player

OK, cheers for the info Ron.

 

This is slightly more serious than all the other vulnerabilities I'd think, hopefully they push a fix soon.

 

Seems serious enough. I'm waiting for 1.1.7. Meanwhile, I think these are useful:

Source

 

Does EMET prevent this?

 

It's already fixed in the latest win32 branch build (1.1.7 - believe it involved one line of code or something):

http://nightlies.videolan.org/build/win32/branch-20110201-0202/

I grabbed it, installed, and haven't seen any anomalies.....yet. Regardless, they'll probably release the official 1.1.7 soon enough.

 

Official 1.1.7 release is up:

http://www.videolan.org/

 

I just installed 1.1.7. Thanks for the heads up.

 

No problem.

Also, Portable version of 1.1.7 is available courtesy of PortableApps.com:

http://portableapps.com/apps/music_video/vlc_portable

 

Looks like DEP alone is enough to prevent exploitation. At least that's the case with the metasploit module. Maybe this limitation could be overcome but I doubt a full emet bypass is possible, even if it is you won't see one any time soon (and by then everyone is patched anyway so why bother in the first place?)

http://www.metasploit.com/modules/exploit/windows/fileformat/vlc_webm