VLC update fixes MP4 security bug

The popular media player VLC has been updated to address a potential security flaw.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

The VLC media player for OS X has been updated with a small fix that addresses a potential security flaw in the MP4 decoder. As with many security flaws, the problem results in a buffer overflow that can crash the program and potentially lead to arbitrary code execution. This is a relatively minor issue, but is one that has the potential to cause problems for people who regularly use VLC to play Internet videos.

The bug would require a specifically crafted malicious video file in order for unwanted code to run on the system, and it is more likely that the problem would just result in a crash; however, the possibility is there so if you are currently running VLC 1.1.8 then you might as well keep the program updated to version 1.1.9.

The update for VLC can be found at VLC's Web site, and is available for both Intel and PowerPC systems.

VLC is an alternative to Apple's QuickTime media player and is popular because it can play numerous unsupported and obscure video codecs that QuickTime cannot handle, and is integral for some popular programs like Handbrake. Recently there was word that the project was suffering from the lack of available Mac interface programmers, but we are still seeing builds being updated for OS X. Besides VLC there are a couple of other options for playing obscure video codecs, including MPlayer OS X Extended (be sure to also install the codec pack) and Perian, which is a codec pack for QuickTime.

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.