Security Advisory 1005

Summary           : DLL preloading vulnerability
Date              : August 2010
Affected versions : All VLC media player versions up to 1.1.3
ID                : VideoLAN-SA-1005
CVE reference     : CVE-2010-3124

Details

Due to the DLL loading design on Windows, VLC loads automatically a DLL from the current directory, if it doesn't find it in VLC's application directory or in system directories. A few modules of VLC are affected (only Qt4 and DMO are known at the moment).

Impact

If successful, the exploit can execute arbitrary code within the context of VLC media player.

Threat mitigation

Microsoft has published workarounds ( https://www.microsoft.com/technet/security/advisory/2269637.mspx ) and a tool ( http://support.microsoft.com/kb/2264107 ) that fixes the vulnerability for all affected software on the computer.

Workarounds

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (network shares, USB keys), until the patch is applied.

Solution

VLC media player 1.1.4 addresses this issue. The patch for VLC media player 1.1.x is available from the corresponding official VLC source code repositories.

Credits

This vulnerability was reported by Georgi Guninski, Taeho Kwon, ACROS Security and H.D. Moore.
An exploit was posted on exploit-db by Vinay Katoch.

References

The VideoLAN project

http://www.videolan.org/

Patch for VLC 1.1.3, 1.1.2, 1.1.1, 1.1.0

commit 43a31df56c37bd62c691cdbe3c1f11babd164b56

History

23 August 2010

Details of the vulnerability released.

25 August 2010

Exploit release.

Vendor patch for VLC 1.1.3.

26 August 2010

Initial security advisory.

CVE reference assigned.

27 August 2010

VLC 1.1.4 release.