VideoLAN unveiled VLC 1.1.7, a security update on 1.1.6.
When parsing an invalid MKV (Matroska or WebM) file, input validation are insufficient. If successful, a malicious third party will be able to trigger execution of arbitrary code. Exploitation of this issue requires the user to explicitly open a specially crafted file.
As a workaround the user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.
Alternatively, the MKV demuxer plugin (libmkv_plugin.*) can be removed manually from the VLC plugin installation directory.
Source and Windows and Mac OS X builds are available.