VLC media player security flaw
Image: Pixabay
Update
VideoLAN has tweeted that the security issue reported by CERT-Bund is not as severe as claimed. VideoLAN says the issue lies in a third-party library, called libebml, that was fixed 16 months ago. VLC makers say that the claim was based on a previous (and outdated) version of VLC. Meanwhile, the VLC CVE has now been updated. It says that the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium). The changelog also makes it clear that the “Victim must voluntarily interact with attack mechanism.”

PS: VLC users don’t need to uninstall it to stay protected from the vulnerability. You just have to ensure that it is updated to the latest version.

Original story continues from here [Published on July 24, 2019]

If you still use the popular open-source VLC Media Player, you might want to uninstall it (at least for now). German security agency CERT-Bund has discovered a critical security flaw in VLC that could be used by attackers for remote code execution or cause a DDoS.

The worst part is that VideoLAN (the team behind VLC) doesn’t have a complete patch at the moment and until it rolls out one, your PC remains vulnerable.

Vulnerability in VLC Media Player

The vulnerability, described in CVE-2019-13615, reads:

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

In short, this security flaw can allow hackers to hijack your PC and go through your files.

A fix on the way

Fortunately, there have been no reports of exploitation of this flaw. WinFuture reports that Windows, Linux, and Unix versions of VLC have been affected by the security hole, but the macOS version remains safe.

Nevertheless, it totals up to a huge number of potentially vulnerable systems out there.

VideoLAN has been informed of the issue and the team is currently working on a patch. However, the patch is nearly 60% complete. We will have to wait longer for a fix.

Also Read: 8 Chrome & Firefox Extensions Stole 4 Million Users’ Data: Uninstall Now!