14 DAY TRIAL // VideoLAN and the VLC development team have released VLC 1.1.11, a security release packing additional improvements as well.
According to the team of developers handling VLC, two security issues in the real and avi demuxers made this new release imperative.
While they were at it, the VLC development team also made improvements in the fullscreen mode of the Win32 mozilla plugin, the MacOSX Media Key handling and Auhal audio output, as well as GUI bug fixes and more.
Five exclusive changes are present in the Mac version alone.
VLC 1.1.11 fixes scrolling direction if the input device's signal is inverted, updates Auhal audio output to the latest API, fixes images disappearing on the interface, and resolves a conflict between iTunes and VLC wrt Media Key handling.
Finally, the OS X installation size is now reduced by as much as 30 MB.
Rémi Denis-Courmont, one of the lead developers of VLC Media Player, writes on Planet VideoLAN:
“As a security contact I used to announce VideoLAN security advisories on the main VideoLAN website. But most users are not literate in open-source development and do not understand the difference between source code releases and availability of binaries.”
As such, Rémi proposes a slightly less visible venue to post the two advisories for the security fixes in VLC 1.1.11, so that end users who don’t really care about the nuts and bolts of every release are not confused.
The advisories in question reveal that VLC Media Player suffers from a heap overflow vulnerability in the Real Media file parser, as well as in the AVI file parser.
“If successful, a malicious third party could crash the player instance,” the advisory reads. “Arbitrary code execution within the context of VLC media player might be possible.”
However, in both cases, it hasn’t yet been confirmed. Moreover, exploitation of these vulnerabilities requires the user to explicitly open specifically crafted malicious files.
There are a couple of workarounds to this, in case you don’t want to update, but the recommended solution is to install VLC Media Player 1.1.11.