[vlc-devel] [PATCH] win32: do not load wininet.dll on startup, it's not a Known DLL

Pierre Ynard linkfanel at yahoo.fr
Sat Apr 1 12:43:18 CEST 2017


> We load only from SYSTEM32 in loadlibrary calls, then we should do the
> same in implib.
> Or we do none of those.

I suggest none then.

> It's not stricto-sensu a strong security issue, since only a
> non-installed version can be compromised, or the person has UAC
> control.
> But after those patches, you need SYSTEM control to exploit it.

Okay, but let's say an attacker completely overwrites the portable VLC
to replace it with an older, vulnerable version of VLC - or even with
arbitrary malware. Has Windows security become so good that you need
SYSTEM control to exploit this?

> And yes, there is still the issue of VLC plugins loading, and that
> needs a solution.

Thank you for reminding of it, sometimes I forget that it's not a done
thing yet. Any ETA for this?

Also, any plan to fix the similar issue with lua scripts?

-- 
Pierre Ynard
"Une âme dans un corps, c'est comme un dessin sur une feuille de papier."


More information about the vlc-devel mailing list