VideoLAN warns of unpatched flaw in VLC 1.1.6

The VideoLAN project is warning its users of a critical security vulnerability in the latest release of its popular VLC media player, version 1.1.6, which can lead to malicious code execution.

While VLC 1.1.6 - which was released by the group just last week - fixed a range of worrying security vulnerabilities in the popular open-source cross-platform media player, the team apparently missed one in the handling of MKV files.

A plugin, responsible for splitting MKV files into their audio and video components for playback - a process known as demuxing - has been blamed for the flaw, which allows attackers to execute code on a target system by convincing the user to open a maliciously-crafted MKV video file.

Although the flaw has been fixed by a code contributor and the file updated in the project's source repository, a binary release has not yet been made available. Once the fix has been verified as working, the team will make VLC 1.1.7 available - and it's a recommended update for anyone concerned about the security of their system.

While waiting for the official fix, a temporary workaround is available by deleting the libmkv_plugin - but be warned that this will disable VLC's ability to play back MKV files until the new version is released.

More information on the flaw is available over on the VideoLAN security advisory.