VLC Media Player '.mkv' Code Execution Vulnerability (Windows) Network Vulnerability

Summary

The host is installed with VLC Media Player and is prone to arbitrary code execution vulnerability.

Impact

Successful exploitation could allow attackers to execute arbitrary code by tricking a user into opening a specially crafted MKV file. Impact Level: Application

Solution

Upgrade to the VLC media player version 1.1.7 or later, For updates refer to http://download.videolan.org/pub/videolan/vlc/

Insight

The flaw is due to an input validation error within the 'MKV_IS_ID' macro in 'modules/demux/mkv/mkv.hpp' of the MKV demuxer, when parsing the MKV file.

Affected

VLC media player version 1.1.6.1 and prior on Windows

References

http://osvdb.org/70698
http://www.securitytracker.com/id?1025018
http://xforce.iss.net/xforce/xfdb/65045

Updated on 2015-03-25

Severity

Classification

CVE CVE-2011-0531

CVSS	Base Score: 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C

Related Vulnerabilities

Adobe Air Remote Code Execution Vulnerability -June13 (Mac OS X)
Adobe Acrobat and Reader 'printSeps()' Function Heap Corruption Vulnerability
Adobe Air Multiple Vulnerabilities - October 12 (Mac OS X)
Adobe Flash Player Buffer Overflow Vulnerability - Apr14 (Mac OS X)
Adobe Acrobat Multiple Unspecified Vulnerabilities - Mac OS X

Take action and discover your vulnerabilities