Popular open-source media player VLC has been updated to version 1.1.6, closing a raft of security holes that security analysts had rated as 'highly critical' and that left the software's users open to attack from third parties.
The flaws, which existed in versions prior to and including VLC 1.1.6, were initially discovered by security researcher Dan Rosenberg, and existed in three separate areas of the program. The demuxer used for playback of Real Media files had an array indexing error that could be used to execute arbitrary code; a heap corruption vulnerability was found that could be exploited using specially crafted CDG files, which cause the DecodeTileBlock function to malfunction; and a second CDG vulnerability causes the DecodeScroll function to malfunction.
As well as the security fixes, which should be treated as a high priority fix for anyone who uses the software, the VLC team has also added some new functionality to the popular package. Support for MPC SV7 and SV8 has been added to Windows and Mac OS X, along with MIDI support on Mac OS X, and support for audio/L24 has been added to VLC's RTP functionality.
Several improvements have also made it into this release, with WMV seeking greatly improved, the software's visualisation functions enhanced, improved performance for decoding of content in Google's WebM or VP8 format, and fixes for issues relating to the SSA font cache in Mac OS X and audio CD playback on Windows machines.
The updated version, which is a recommended update for all users, is available for download from the VideoLAN site immediately.