VLC media player auto-update and vulnerability

Secunia has published an advisory about new vulnerabilities found in VLC Media Player.

I just picked up an advisory from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.

There is no CVE Reference and unfortunately cannot figure out a CVSS score.  You can find the original advisory (VideoLAN-SA-1003) here:

There are two interesting things about this one.  One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site.  That’s a bit unusual because, typically, the vendor likes to make sure the patch/updated version of the vulnerable software is available before publishing the vulnerability on their on web site.  The second thing that’s interesting is that the auto-update does not seem to work in my installed version (1.0.1).

I thought that maybe I had a problem in my home LAN that caused the auto-update to fail.  I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update.  I used the Follow TCP Stream feature and it was quickly apparent that the problem wasn’t with me at all.  The GET that VLC sent got a 206 Partial Content

HTTP/1.1 206 Partial Content
Content-Type: text/plain
Accept-Ranges: bytes
ETag: “3280753111”
Last-Modified: Mon, 01 Feb 2010 23:15:18 GMT
Content-Range: bytes 0-485/486
Content-Length: 486
Date: Mon, 26 Apr 2010 04:24:08 GMT
Server: lighttpd/1.4.19

Due to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.

You have to download VLC 1.0.5 from VideoLAN’s website: http://www.videolan.org

VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.

Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.

BackTrack 4 Final Released

I’m back to blogging! BackTrack 4, the latest version of the most popular all-in-one Linux based penetration testing suite is now out.

Sorry for being away for so long (almost a year since the last post).  I have been making sure that this server and WordPress is always up to date even though I was not actively posting.  I’d hate for a blog about IT security to be compromised, especially if I’m the one managing it.

BackTrack dragon headIn any case, it would appear that BackTrack 4 is out of Beta and is available for all to download!  I’m downloading it as I am typing this and will be burning it to a DVD to play with it.  You can download it from http://www.backtrack-linux.org/downloads/.  BackTrack is a great collection of software and tools in a bootable DVD or in a VM.  As described on the BackTrack home page:

BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking.

Even if penetration testing is not your thing, this is an easy way to get some of the most popular security tools into your hands without having to search and download from all over the Internet.