Critical flaw in VLC media player allows hackers to hijack PCs

VLC Media Player has ‘critical security issue’, VideoLAN says security flaw is fixed

VLC Media Player, a popular multi-platform media player, has a critical vulnerability that allows hackers to hijack your computers and see your files, claimed a security researcher.

Related- 5 Best VLC Media Player Alternatives

The security flaw CVE-2019-13615 termed as “critical” was identified by Germany’s national Computer Emergency Response Team (CERT Bund). The vulnerability affects version 3.0.7.1 in Linux, UNIX and Windows versions of VLC media player as claimed by the researcher.

The vulnerability allows for RCE (remote code execution) which potentially allows hackers to install, run and execute malicious code or modify files/data on target machines without the user’s consent. It could also be used to disclose files on the host system.

The flaw reportedly requires the user to play a malicious MKV video file, which is then said to crash and compromise the VLC player. CERT-Bund gave a base vulnerability score of 9.8 out of 10 in the NIST’s National Vulnerability Database.

According to VLC lead developer Jean-Baptiste Kempf, the bug has been open on the VideoLAN website for the past four weeks. However, the issue isn’t reproducible and doesn’t crash a normal release of VLC 3.0.7.1, added Kempf.

Francois Cartegnie from VideoLAN warns:

If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.

Twitter handle of the VideoLAN team also slammed the CVE team and MITRE for sharing news of the vulnerability:

 

Earlier this morning, VideoLAN took to Twitter to clarify that VLC is not vulnerable as reported by CERT-Bund. According to the makers of VLC, the issue was in a 3rd party library called “libebml”, which was fixed more than 16 months ago. It also added VLC since version 3.0.3 has the corrected version, and MITRE’s claim was based on a previous outdated version of VLC.

The VLC issue has now been downgraded from a 9.8 to a 5.5 vulnerability score on the National Vulnerability Database specifying that the “Victim must voluntarily interact with attack mechanism”. The related entry in VideoLAN’s public bug tracker also lists the issue as fixed.

Reacting on the press reports that claimed VLC media player is vulnerable, Kempf said: “It’s insane. People are saying, ‘You need to uninstall VLC’. It’s the usual people who don’t check their facts.”

RELATED: 10 Of The Best Free Media Players For Windows 10

In other words, there is no need to uninstall VLC media player, as VideoLAN has already released a patch to fix the security flaw. However, it is advisable to ensure that the software is always regularly updated. Additionally, avoid playing an untrusted MKV format file on the media player. The current version of VLC is 3.0.7.1.

LEAVE A REPLY

Please enter your comment!
Please enter your name here