Cybersecurity researchers have warned users of the popular multimedia player, VLC, of a “critical” vulnerability that could expose them to potential risks once exploited by threat actors.
The German cybersecurity firm, CERT-Bund, detailed in a cybersecurity warning that their researchers have flagged a vulnerability in VLC’s system, which can be used by hackers and other malicious entities to compromise a device where the media player is installed.
The researchers from CERT-Bund said that users could be hijacked into running malicious codes in their VLC-installed computers because a flaw enables remote code execution (RCE), unauthorized modification and disclosure of data/files, and overall disruption of service. This means that the user will unknowingly run the malicious codes in their device that could expose them to multilayered risks.
The vulnerability known as CVE-2019-13615 is found in the software’s latest version VLC Media Player version 126.96.36.199. The flaw has been rated 9.8 in NIST’s National Vulnerability Database, which indicates that the flaw is in ‘critical’ level.
While there is still no known exploitation happening in the wild, the researchers are warning users to avoid updating their software or downloading the new version of the media player.
“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” reads the CERT-Bund disclosure.
Interestingly, while the vulnerability is detected in many environments such as Windows, Linux, and UNIX versions, the macOS version of VLC seems to be unaffected by the vulnerability.
The VLC 3.0.7 Vetinari is the seventh version of the software in its Vetinari line which was released earlier last month. VLC Media Player is one of the most popular media players in the market, priding itself with more than 3 billion downloads. The popularity of the media player came from it is free, open-source, and portable.
The VLC Media Player, owned by VideoLAN, a non-profit organization, can run in different environments like Windows, macOS, and Linux, with versions created for Android and iOS. It is also one of the available media players that can read a variety of audio and video files, which makes it one of the most popular third-party media player in the market.
With the combined number of active users of VLC Media player and the total download it gets, an exploit in the discovered vulnerability can cause a massive cyber attack outbreak.
Last month, VLC patched two major vulnerabilities in their system with a similar implication. The vulnerabilities a remote user to create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow into a targeted system.
The researchers said that successful execution of the malformed file in the target users’ device could cause, in the best case, VLC to crash, and in the worst, could provide hackers special privileges to exploit the user’s device. They warned that a hacker could simply trick a target or a potential victim into opening a seemingly unsuspicious video in the VLC for the hacker to carry out his plan.
The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied,” they said in a security advisory. This vulnerability was patched when VideoLAN released version 3.0.7, but apparently, a similar flaw would also affect the new version.
Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the program. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and ten rated low. These fixes include:
- Improvements for HDR support on Windows, including for HLG streams
- Improvements on the Blu-ray support, notably for menus
- Fixes for some 10bit and 12bit rendering on Windows 10
- Fixes for UPnP discovery on MacBooks with a TouchBar
- Numerous security issues: One high-security issue, 21 medium, and 20 low-security issues were fixed, ranging from integer overflow to buffer overflows, with out-of-read violations and stack overflows.
VideoLAN advised users that they have been working on a patch for the new flaw in version 3.0.7 for the past four weeks and they are currently 60 percent through it.