VLC Media Player < 1.0.6 Multiple Vulnerabilities

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote Windows host contains an application that suffers from
multiple vulnerabilities.

Description :

The version of VLC media player installed on the remote host is
earlier than 1.0.6. Such versions are affected by multiple
vulnerabilities :

- A stack-based buffer overflow when handling M3U files
with a ftp:// URI handler.

- Heap-based buffer overflow vulnerabilities exist in the
A/52, DTS, MPEG Audio decoders.

- Invalid memory access vulnerabilities exist in the AVI,
ASF, Matroska (MKV) demuxers, the XSPF playlist parser,
and the ZIP archive decompressor.

- A heap-based buffer overflow vulnerability exists in
RTMP access.

If an attacker can trick a user into opening a specially crafted file
with the affected application, arbitrary code could be executed
subject to the user's privileges.

See also :

http://seclists.org/bugtraq/2010/Jul/29
http://www.videolan.org/security/sa1003.html
http://www.videolan.org/developers/vlc-branch/NEWS

Solution :

Upgrade to VLC Media Player version 1.1.0 or later.

Note that the VLC developers have not released a pre-built version
1.0.6 for Windows so users are advised to upgrade to the next
available version.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 8.4
(CVSS2#E:POC/RL:U/RC:ND)
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 48760 ()

Bugtraq ID: 39620
41398

CVE ID: CVE-2010-1441
CVE-2010-1442
CVE-2010-1443
CVE-2010-1444
CVE-2010-1445

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now