Companies bundling spyware, adware with open-source media player

VideoLAN developer Ludovic Fauvet has come out swinging against companies that bundle adware and spyware with the open-source VLC media player.

"At VideoLAN we’re really fed up with all those websites/companies that are tricking our users to download malware and violate our IP by distributing misleading versions of VLC without conforming to the GPL license," Fauvet said.

"What bothers us the most is that many of them are bundling VLC with various crapware to monetize it in ways that mislead our users by thinking they’re downloading an original version. This is not acceptable," he added.

Fauvet named-and-shamed at least 25 companies that were guilty of bundling spyware and adware programs with the highly rated open-source media player.

"The result is a poor product that doesn’t work as intended, that can’t be uninstalled and that clearly abuses its users and their privacy. Not to mention that it also discredits our work as volunteers and that it’s time-consuming, time that is not invested in the development," he argued.

Fauvet called on users to always download the VLC media player from the project's official website.

Separately, VideoLAN shipped a patch for a pair of "highly critical" security holes that expose users to computer hijack.

• An integer overflow error when parsing a RealAudio data block within RealMedia (RM) files can be exploited to cause a heap-based buffer overflow.
• An integer underflow error when parsing the "strf" chunk within AVI files can be exploited to cause a heap-based buffer overflow.

Successful exploitation of the vulnerabilities allows execution of arbitrary code, Secunia said in an advisory.

The vulnerabilities are confirmed in version 1.1.10. Prior versions may also be affected.