The VLC player is still affected by a critical remote code execution vulnerability tracked as CVE-2019-13615.
The potential impact of the flaw is important because the software has more than 3.1 billion installs across various operating systems and versions.
Germany’s national Computer Emergency Response Team (CERT-Bund) has also published a security advisory to warn of the flaw in the VLC media player.
“VLC Media Player is a program for playing multimedia files and network streams.” reads the security advisory
“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”
The vulnerability affects the latest release of the VLC player for Windows, Linux and UNIX, version 3.0.7.1, and likely earlier versions. The Germany’s national Computer Emergency Response Team (CERT-Bund) classified the flaw as a critical heap-based memory buffer over-read condition and assigned to it a score of 4 out of 5 on its severity scale.
The NIST National Vulnerability Database (NVD) rated the vulnerability as ‘critical’ severity and assigned it a CVSS score of 9.8 out of 10.
Both CERT-Bund and NVD pointed out that its exploitation doesn’t require system privileges or any user interaction, even if some experts believe that an attacker could exploit the flaw using a specially crafted mp4 file.
“As readers have correctly noticed in the heise security forum, the bugtracker entry (possibly as a proof of concept) depends on a .mp4 file.” reported the Heuse.de website. “This suggests that to exploit the vulnerability a prepared video file must be played. However, this is explicitly mentioned or confirmed neither in the CERT Bund report nor in the NVD entry. ( ovw ).”
According to the bugtracker used by the development team behind VLC, VideoLAN is already working on a security patch to address the flaw.
The good news is that at the time of writing, we are not aware of attacks in the wild exploiting the vulnerability.
In June, experts found two vulnerabilities in VLC media player that could allow remote attackers to take full control over a computer system while playing untrusted videos.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – VLC player, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]
A critical vulnerability in the WordPress Automatic plugin is being exploited to inject backdoors and…
As cryptocurrencies have grown in popularity, there has also been growing concern about cybercrime involvement…
Healthcare service provider Kaiser Permanente disclosed a security breach that may impact 13.4 million individuals…
Over 1,400 CrushFTP internet-facing servers are vulnerable to attacks exploiting recently disclosed CVE-2024-4040 vulnerability. Over…
A ransomware attack on a Swedish logistics company Skanlog severely impacted the country's liquor supply. …
CISA adds Cisco ASA and FTD and CrushFTP VFS vulnerabilities to its Known Exploited Vulnerabilities…
This website uses cookies.