The potential impact of the flaw is important because the software has more than 3.1 billion installs across various operating systems and versions.
Germany’s national Computer Emergency Response Team (CERT-Bund) has also published a security advisory to warn of the flaw in the VLC media player.
“VLC Media Player is a program for playing multimedia files and network streams.” reads the security advisory
“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”
The vulnerability affects the latest release of the VLC player for Windows, Linux and UNIX, version 220.127.116.11, and likely earlier versions. The Germany’s national Computer Emergency Response Team (CERT-Bund) classified the flaw as a critical
The NIST National Vulnerability Database (NVD) rated the vulnerability as ‘critical’ severity and assigned it a CVSS score of 9.8 out of 10.
Both CERT-Bund and NVD pointed out that its exploitation doesn’t require system privileges or any user interaction, even if some experts believe that an attacker could exploit the flaw using a specially crafted mp4 file.
“As readers have correctly noticed in the heise security forum, the bugtracker entry (possibly as a proof of concept) depends on a .mp4 file.” reported the Heuse.de website. “This suggests that to exploit the vulnerability a prepared video file must be played. However, this is explicitly mentioned or confirmed neither in the CERT Bund report nor in the NVD entry.
According to the bugtracker used by the development team behind VLC, VideoLAN is already working on a security patch to address the flaw.
The good news is that at the time of writing, we are not aware of attacks in the wild exploiting the vulnerability.
In June, experts found two vulnerabilities in VLC media player that could allow remote attackers to take full control over a computer system while playing
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.