Warning over critical security flaw in VLC Media Player

clock • 2 min read

Exploits expected to emerge within days to take advantage of 9.8-rated critical security flaw in VLC Media Player

Computing has published an update to this story after VideoLAN, the organisation behind VLC Media Player, claimed that the security flaw had been fixed 16 months ago, and that CERT-Bund and MITRE had acted before testing the vulnerability first. 

Another critical vulnerability in VLC Media Player, which could enable hackers to access and modify data on devices, has been identified by German cyber-security agency CERT-Bund.

CERT-Bund has not yet observed the vulnerability being exploited in the wild by attackers. However, exploits will almost certainly emerge in the coming days considering that the vulnerability is now in public domain. In addition, a fix has yet to be released. 

The newly discovered flaw, indexed as CVE-2019-13615, exists in VLC Media Player version 3.0.7.1 - the newest release of the application, according to CERT-Bund. It is rated at 9.8 in NIST's National Vulnerability Database, making it a 'critical' vulnerability. The flaw enables remote code execution (RCE), unauthorised modification and disclosure of data/files and disruption of service.

"VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp," the CVE report notes.

According to WinFuture, the issue exists in Windows, Linux and UNIX versions of the programme, while the macOS version appears seemingly unaffected.

VLC Media Player's developer, the non-profit organisation VideoLAN, is currently working on a patch that, it claims, is now 60 per cent complete. The company has been working on the fix for the past four weeks, according to the bug report by the company.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the programme. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low.

The first critical flaw, indexed as CVE-2019-12874, is an out-of-bounds write flaw in the decoder library of FAAD2 MPEG-4 and MPEG-2 AAC used by VLC 3.0.6 and earlier.

The second critical flaw, indexed as CVE-2019-5439, is a stack buffer overflow flaw. It exists in version 4.0.0 beta's Reliable Internet Stream Transport and could allow for RCE at the user's privilege level.

VLC is a popular and widely used open-source media player app, boasting more than three billion downloads worldwide. The application can play almost every multimedia format going and is free to download and use.

July has been a particular busy time for patches and updates, with Oracle releasing a tranche of more than 300 last week, while Microsoft's July Patch Tuesday addressed 77 vulnerabilities

BlackBerry, meanwhile, is this week rushing out a patch to fix flaws in its Cylance anti-virus software

You may also like
Hidden Android app exposes millions of Pixel phones to takeover

Threats and Risks

App intended to enable demo mode for stores has deep OS permissions

clock 16 August 2024 • 3 min read
Ivanti patches critical flaws in multiple products

Threats and Risks

Authentication bypass vulnerability in vTM could allow malicious actors to gain full administrative control

clock 14 August 2024 • 3 min read
SolarWinds patches eight critical flaws in Access Rights Manager software

Threats and Risks

Disclosure raises fresh security concerns

clock 21 July 2024 • 3 min read
Most read
01

UK signs AI agreement with EU and USA

05 September 2024 • 2 min read
02
03
05

Why do you need an AI PC strategy?

04 September 2024 • 2 min read

Sign up to our newsletter

The best news, stories, features and photos from the day in one perfectly formed email.

More on Threats and Risks

Researchers ID security risks in GenAI development platforms

Researchers ID security risks in GenAI development platforms

Exposes sensitive company data

clock 29 August 2024 • 2 min read
Chinese hacking gang targets ISPs via Versa flaw

Chinese hacking gang targets ISPs via Versa flaw

Attacks believed to be geared toward intelligence gathering

Kyle Alspach
clock 28 August 2024 • 3 min read
No honour among ransomware thieves: affiliates' trust craters after takedown

No honour among ransomware thieves: affiliates' trust craters after takedown

Law enforcement action and exit scams have damaged the big gangs' brands

John Leonard
clock 22 August 2024 • 3 min read