{"id":124,"date":"2010-04-25T22:56:12","date_gmt":"2010-04-26T04:56:12","guid":{"rendered":"http:\/\/www.digitallachance.com\/blog\/?p=124"},"modified":"2010-04-25T22:56:12","modified_gmt":"2010-04-26T04:56:12","slug":"vlc-media-player-auto-update-and-vulnerability","status":"publish","type":"post","link":"http:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/","title":{"rendered":"VLC media player auto-update and vulnerability"},"content":{"rendered":"<p>I just picked up an <a href=\"http:\/\/secunia.com\/advisories\/39558\" target=\"_blank\">advisory<\/a> from Secunia about VLC Media Player vulnerabilities. There are 9 vulnerabilities. Three are related to A\/52, DTS and MPEG audio decoders. Three are about the AVI, ASF and Matroska demuxer. The other three are about the XSPF playlist, the ZIP and RTPM implementation.<\/p>\n<p>Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires that the user is tricked into opening a specially crafted file.<\/p>\n<p>There is no CVE Reference and unfortunately cannot figure out a <a href=\"http:\/\/www.networkworld.com\/community\/node\/21105\" target=\"_blank\">CVSS<\/a> score.\u00a0 You can find the original advisory (VideoLAN-SA-1003) here:<br \/>\n<a href=\"http:\/\/www.videolan.org\/security\/sa1003.html\" target=\"_blank\">http:\/\/www.videolan.org\/security\/sa1003.html<\/a><\/p>\n<p>There are two interesting things about this one.\u00a0 One, as of right now (April 25, 2010 at 22:39 GMT-6), the fixed version for Windows (1.0.6) is still not available on the Video LAN web site.\u00a0 That&#8217;s a bit unusual because, typically, the vendor likes to make sure the patch\/updated version of the vulnerable software is available before publishing the vulnerability on their on web site.\u00a0 The second thing that&#8217;s interesting is that the auto-update does not seem to work in my installed version (1.0.1).<\/p>\n<p>I thought that maybe I had a problem in my home LAN that caused the auto-update to fail.\u00a0 I fired up Wireshark and did a quick sniff of the traffic when trying to get VLC to update.\u00a0 I used the <em>Follow TCP Stream<\/em> feature and it was quickly apparent that the problem wasn&#8217;t with me at all.\u00a0 The GET that VLC sent got a <em>206 Partial Content<\/em><\/p>\n<blockquote><p>HTTP\/1.1 206 Partial Content<br \/>\nContent-Type: text\/plain<br \/>\nAccept-Ranges: bytes<br \/>\nETag: &#8220;3280753111&#8221;<br \/>\nLast-Modified: Mon, 01 Feb 2010 23:15:18 GMT<br \/>\nContent-Range: bytes 0-485\/486<br \/>\nContent-Length: 486<br \/>\nDate: Mon, 26 Apr 2010 04:24:08 GMT<br \/>\nServer: lighttpd\/1.4.19<\/p>\n<p>1.0.5<br \/>\nhttp:\/\/www.videolan.org\/mirror-geo-redirect.php?file=vlc\/1.0.5\/win32\/vlc-1.0.5-win32.exe<br \/>\nDue to a bug in the update feature of your on of VLC, the automatic download of the new VLC will fail.<\/p>\n<p>You have to download VLC 1.0.5 from VideoLAN&#8217;s website: http:\/\/www.videolan.org<\/p>\n<p>VLC 1.0.5 is a minor release of 1.0.x version of VLC. It fixes a few bugs, updates the codecs and the compiler for Windows, and should improve decoding speed. It also improves and update many translations.<\/p><\/blockquote>\n<p>Well, might as well download 1.0.5 for now and use the auto-update to check the 1.0.6 fix.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Secunia has published an advisory about new vulnerabilities found in VLC Media Player.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[11,7],"tags":[39,47,49,52],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v15.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>VLC media player auto-update and vulnerability - IT A Digital Life<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"2 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/digitallachance.com\/blog\/#website\",\"url\":\"https:\/\/digitallachance.com\/blog\/\",\"name\":\"IT A Digital Life\",\"description\":\"All things digital\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/digitallachance.com\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/#webpage\",\"url\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/\",\"name\":\"VLC media player auto-update and vulnerability - IT A Digital Life\",\"isPartOf\":{\"@id\":\"https:\/\/digitallachance.com\/blog\/#website\"},\"datePublished\":\"2010-04-26T04:56:12+00:00\",\"dateModified\":\"2010-04-26T04:56:12+00:00\",\"author\":{\"@id\":\"https:\/\/digitallachance.com\/blog\/#\/schema\/person\/8a2f0b2a18af80d71541deadfac4d02f\"},\"breadcrumb\":{\"@id\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/\",\"url\":\"https:\/\/digitallachance.com\/blog\/2010\/04\/vlc-media-player-auto-update-and-vulnerability\/\",\"name\":\"VLC media player auto-update and vulnerability\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/digitallachance.com\/blog\/#\/schema\/person\/8a2f0b2a18af80d71541deadfac4d02f\",\"name\":\"Francois\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/digitallachance.com\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"http:\/\/0.gravatar.com\/avatar\/ce2ee0649f3fb6a643ffff9a9f1e63e4?s=96&d=mm&r=g\",\"caption\":\"Francois\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/posts\/124"}],"collection":[{"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/comments?post=124"}],"version-history":[{"count":0,"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/posts\/124\/revisions"}],"wp:attachment":[{"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/media?parent=124"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/categories?post=124"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/digitallachance.com\/blog\/wp-json\/wp\/v2\/tags?post=124"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}