I’ve just read Ryan's post about the new VLC remote code execution vulnerability. He quoted Secunia’s workaround recommendation for VLC users: “Do not open untrusted WAV files”. This recommendation is not good for two reasons:
1) VLC can play files WAV files that ends with other file extensions that VLC can open, e.g. MP3 files.
2) An attacker can place an webpage which uses the VLC ActiveX for IE users to play the malicious WAV files (installed by default by VLC), or just redirect to the malicious WAV file for Firefox users who installed the Mozilla plugin (not installed by default, need to be manually selected, or installed if the user chooses the Full installation).
The best suggestion is of course to upgrade to the latest version, or use an alternative media player.
So, After reading that post, I got Ryan’s twit where he asks if VLC has an automatic update mechanism. That was a good question, and I did remember that VLC had some sort of update mechanism.
For my surprise, the latest unpatched version, v0.86h, didn’t have that option. So, I tried to go few versions back (using the awesome OldApps website).
Version 0.86 did have the “Check for Updates” option under the help menu. Clicking on it brought a new ugly window with only one button, of yet again, “Check for updates”. Clicking on this button did absolutely nothing.
So, then I decided to move few versions forward to 0.86c. This was the version I remembered having the update mechanism. It also had the option under the help menu (which brought the ugly window again). Clicking that button showed a new windows suggesting to download the “available updates” – version 0.86d.
Hrmm.. Wait.. Shouldn’t v0.86i be the latest VLC version? According to the VLC download website the answer is not yet, but even there it is version 0.86h and not 0.86d.
So, I’ve decided to download and install the 0.86d version anyway, just to find out that the "Check for updates" option is now missing again.
Not a good way of implementing a software updater…
P.S. No, there was no automatic update on any of the versions I checked.