VLC Media Player has ‘critical security issue’, VideoLAN says security flaw is fixed
VLC Media Player, a popular multi-platform media player, has a critical vulnerability that allows hackers to hijack your computers and see your files, claimed a security researcher.
Related- 5 Best VLC Media Player Alternatives
The security flaw CVE-2019-13615 termed as “critical” was identified by Germany’s national Computer Emergency Response Team (CERT Bund). The vulnerability affects version 3.0.7.1 in Linux, UNIX and Windows versions of VLC media player as claimed by the researcher.
The vulnerability allows for RCE (remote code execution) which potentially allows hackers to install, run and execute malicious code or modify files/data on target machines without the user’s consent. It could also be used to disclose files on the host system.
The flaw reportedly requires the user to play a malicious MKV video file, which is then said to crash and compromise the VLC player. CERT-Bund gave a base vulnerability score of 9.8 out of 10 in the NIST’s National Vulnerability Database.
According to VLC lead developer Jean-Baptiste Kempf, the bug has been open on the VideoLAN website for the past four weeks. However, the issue isn’t reproducible and doesn’t crash a normal release of VLC 3.0.7.1, added Kempf.
Francois Cartegnie from VideoLAN warns:
If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.
Twitter handle of the VideoLAN team also slammed the CVE team and MITRE for sharing news of the vulnerability:
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019
Did you even check this?
No one can reproduce this issue here.— VideoLAN (@videolan) July 23, 2019
Earlier this morning, VideoLAN took to Twitter to clarify that VLC is not vulnerable as reported by CERT-Bund. According to the makers of VLC, the issue was in a 3rd party library called “libebml”, which was fixed more than 16 months ago. It also added VLC since version 3.0.3 has the corrected version, and MITRE’s claim was based on a previous outdated version of VLC.
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) July 24, 2019
The VLC issue has now been downgraded from a 9.8 to a 5.5 vulnerability score on the National Vulnerability Database specifying that the “Victim must voluntarily interact with attack mechanism”. The related entry in VideoLAN’s public bug tracker also lists the issue as fixed.
Reacting on the press reports that claimed VLC media player is vulnerable, Kempf said: “It’s insane. People are saying, ‘You need to uninstall VLC’. It’s the usual people who don’t check their facts.”
In other words, there is no need to uninstall VLC media player, as VideoLAN has already released a patch to fix the security flaw. However, it is advisable to ensure that the software is always regularly updated. Additionally, avoid playing an untrusted MKV format file on the media player. The current version of VLC is 3.0.7.1.