Hacking and Infosec

Critical security bug in VLC media player – The real truth
A critical Remote Code Execution bug has been found in VLC media player’s latest version. The bad news is “the vulnerability is still unpatched.” VideoLan denies the reports about vulnerability

The VLC media player is undoubtedly the most popular media player. Majority of computer users have VLC player installed on their computers. It’s equally famous among Windows, Mac, and Linux users. But here comes the bad news. Our favorite media player is a security threat to our computers. A severe security bug in VLC media player allows attackers to perform RCE over victims. What more dangerous is that the bug affects the latest version of VLC. Even worse news for VLC users is “The bug is still not fixed.”

Also read: Top Websites to Learn Programming free of cost

Security bug in VLC

A German security firm CERT-Bunds first reported this bug. CERT-Bund warns that latest version of VLC v3.0.7.1. The vulnerability is found in VLC’s mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp. It’s a heap-based buffer over-read vulnerability. The attacker can exploit the vulnerability to perform an RCE attack. This bug allows the hacker to extract information, cause DOS, and manipulate files.

No user interaction required

I guess it’s a bad day for VLC users including me. Here comes another bad news for you. The hacker doesn’t need any privilege escalation to exploit this bug. Not only this but also the attacker doesn’t require any user interaction. There is no known infected case reported yet. The bug has been listed as CVE-2019-13615. According to some reports, Mac users are safe from this bug. But it’ll infect Windows and Linux users.

VideoLan’s Response on the bug

Replying to the news reports about this bug, VideoLan tweeted about the issue. VideoLan is the firm that owns the VLC project. According to their tweets, there is no such bug in the VLC player. Tweeting on their official Twitter account, VideoLan said;

VLC is not vulnerable.
The issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.

They explained the matter briefly. You can read all the tweets to know the complete story.

VideoLan also accuses MITRE of not informing them. Not only this but also they mentioned many previous incidents.

Leave a Reply