VideoLAN is the not-for-profit organization behind VLC Media Player which is a popular software used to both play and convert a variety of audio and visual files. It is available for Windows, Linux, Mac OS X, Unix, iOS, and Android systems.
VLC media player boasts more than 3.1 billion installs across various operating systems and various release versions.
Recently, the open-source media player has become the focus of a recent security advisory released by the German Computer Emergency Response Team (CERT-Bund).
CERT-Bund warns in the advisory that VLC media player version 220.127.116.11, the latest build available, contains a vulnerability which has been awarded a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10.
The vulnerability is best known as CVE-2019-13615 and is found in the latest edition of the software, VLC Media Player version 18.104.22.168, which is rated at 9.8 in NIST’s National Vulnerability Database, meaning it can be labeled as ‘critical’.
However, VLC’s developers aren’t happy they weren’t even contacted before the publishing of this flaw.
“Uninstall VLC right now!” is the advice most websites are providing. But the purported VLC flaw is overblown because according to VLC’s developers, it may not even be a real risk. Although VideoLAN doesn’t have a complete patch at the moment.
The security flaw allows for remote code execution (RCE), unauthorized modification and disclosure of data/files and disruption of service; which is, as they say, a bad thing. This gives hackers total access to your computer to install, run, and modify anything on it without your knowledge.
Additionally, hackers can exploit the issue to cause denial-of-service attacks, which is a common function of certain malware. Keep an eye out for updates, especially if you have not set VLC to automatically update regardless of the OS you are using.
As noted by ESET, “A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files.”
The vulnerability is known to exist in the latest version of VLC and has been detected in the Windows, Linux and UNIX versions, however, the macOS version appears to be unaffected. But it is possible the bug is also present in past builds.
According to a developer who posted an update two days ago, VLC is rapidly working on a fix, and the non-profit’s bug tracker suggests that the vulnerability has been issued the “highest” priority for a patch. The fix is 60 percent complete.
While there is no concrete date for a patch release, there are no known cases of the vulnerability being exploited in the wild. Hackers are yet to exploit the vulnerability publicly to date as much as it poses an increasing threat for users of the popular software.
Nevertheless, until the patch is shipped, perhaps the only workaround appears to be to refrain from using the player altogether.