Tech researchers who are working independently from each other have discovered a critical vulnerability in VLC Media Player, which can be exploited by hackers to plant bugs in the computer system — where the famous media player is installed and is being used.
The two high-risk security flaws on software versions 3.0.6 and earlier, can allow hackers to load specially crafted video files in the vulnerable system to execute the arbitrary code.
VLC Media Player is one of the most popular media players in the market, priding itself with more than 3 billion downloads. The popularity of the media player came from it being free, open source, and portable.
The cross-platform media player can be used in Windows, MacOs, and Linux, with versions created for Android and iOS. It’s also one of the few platforms that can read a variety of video and audio formats, which adds to its luster among users. With the combined number of active users of VLC Media player and the total download it gets, an exploit in the discovered vulnerability can cause a massive cyber attack outbreak.
Symeon Paraschoudis, a researcher from Pen Test Partners, who identified the first high-severity vulnerability as CVE-2019-12874, is MKV double free flaw and resides in ” zlib_decompress_extra() (demux/mkv/utils.cpp) ” function of VideoLAN VLC player. It can be triggered while parsing a malformed mkv file type within the Matroska demuxer.
The second vulnerability was discovered by zhangyang from Hackerone. It is identified as CVE-2019-5439 and is a buffer overflow vulnerability that resides in ReadFrame (demux/avi/avi.c). It allows a remote user to create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow into a targeted system.
According to the researcher, successful execution of a malformed file in the targeted system by a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user.
Researchers said that a hacker could simply trick a target or a potential victim into opening a seemingly unsuspicious video in the VLC for the hacker to carry out his plan.
VideoLAN, the company behind VLC Media Player, has advised users to refrain from opening suspicious videos in the platform. “The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied,” they said in a security advisory. The vulnerabilities have also been patched by the company in the new update to version 3.0.7.
Other zero-days recently
Tech researchers have been discovering several zero-day vulnerabilities among commonly-used services in the past few months. Recently, tech experts found a zero-day in Firefox browser from Mozilla which was actively exploited by hackers to target crypto exchange companies and their employees.
Samuel Groß, a security researcher with Google Project Zero security team, and the Coinbase Security team were credited with discovering the Firefox zero-day — tracked as CVE-2019-11707.
Nonetheless, aside from the terse announcement from Mozilla, there is no other information offered by the tech giant, especially regarding the vulnerability or the ongoing attacks in the wild.
“This can allow for an exploitable crash,” they added. “We are aware of targeted attacks in the wild abusing this flaw.”
One of the confirmed victims of exploitation of the Firefox zero-days is Coinbase and their employee. The crypto exchange company revealed that they had discovered a red flag, and their engineers and staffers immediately resolved the issue.
Philip Martin, a member of the Coinbase security team and the one who reported about the attacks, said that the hackers exploited not only one but two zero-days to carry their attacks.
“On Monday, Coinbase detected & blocked an attempt by an attacker to leverage the reported 0-day, along with a separate 0-day Firefox sandbox escape, to target Coinbase employees,” Martin said.