Organizations Shipping Malware with Highly Rated VLC Media Player
Ludovic Fauvet, developer of VideoLAN (authorized VLC media player download used in Windows) is ferociously charging firms, which pack VLC with spyware and adware, published ZDNet.com dated July 14, 2011.
It maybe worth noting that VLC is one highly-capable multimedia player used across platforms to run nearly all media formats without requiring any extra codec. The media player, which's of open-source nature, is allotted through the GPL (General Public License) of GNU.
Said Fauvet, at VideoLAN, his company was actually tired of all the organizations and websites, which were deceiving its consumers into pulling down malicious software, and infringing upon its IP through the distribution of fake VLC versions that didn't comply with the GPL.
He added that disturbingly, around 25 such organizations/websites, which he named-and-shamed, were packaging VLC with trash software for purposes of monetization through methods, which tricked VideoLAN consumers into believing that they were downloading a genuine version.
Thus, Fauvet recommended consumers that they should always visit the authorized website of the project for taking down VLC online.
Aside that, VideoLAN released a security update to patch vulnerabilities within the highly-rated VLC application's various components, which were capable of making end-users' PCs vulnerable to compromise. Significantly, there were twin vulnerabilities, which if abused could enable arbitrary code execution.
Meanwhile, Secunia the vulnerability research company assigned the "highly critical" rating to the dual VLC vulnerabilities that Hossein Lotfi a security researcher uncovered. SoftPedia.com reported this on July 14, 2011.
What's more, among the twin security flaws, one detected as CVE-2011-2587, resides within the RealMedia demuxer of VLC, which if exploited can result in buffer overflow of heap-based kind via the creation of a maliciously designed RealMedia document. The other flaw (CVE-2011-2588) has the same characteristics, however, resides within the Audi Video Interleave (AVI) demuxer as well as is exploitable via the parsing of certain "strf" chunk within the AVI folder. According to a confirmation, both the flaws affect version 1.1.10 as also possibly older versions too.
Security specialists advise that users must be careful about all files' sources before playing, and tentatively deactivate the browser plug-ins of VLC so the attack vector maybe eliminated.
Related article: Organizations Integrating IT Security into Business Agenda
» SPAMfighter News - 23-07-2011