A German cybersecurity agency, CERT-Bund, which is responsible for organising the country's response to any computer emergencies, has recently discovered what it describes as a critical flaw in the popular VLC Media Player.
VLC is known to be a highly compatible media player, and thus boasts an impressive total downloads of over 3 billion, making this vulnerability all the more dangerous. CERT-Bund classified the vulnerability, officially logged as CVE-2019-13615, to be a "High" (Level 4) exploit, which is the second-highest risk assessment level by the agency.
The exploit is rather nasty and allows attackers to not only execute code remotely but also allows for unauthorised disclosure of information, unauthorised modification of files and disruption of service.
VLC is currently in the process of creating a fix, which can be seen on its website here. However, the ticket shows work on the fix is only 60% complete and there's no ETA on when it might be complete. CERT-Bund says there are no known cases where the exploit has actually been used by attackers, but it might be a good idea to steer clear of VLC for the time being, until the exploit is officially patched. We've reached out to Videolan for more information about the matter, and for an estimate of when a fix might become available.
Source: CERT-Bund via WinFuture
Update: The makers of VLC, VideoLAN, have taken to Twitter to defend their application, arguing that the exploit lay not in the media player itself, but an outdated third-party library. Its tweets also claim that the exploit was fixed by the developers 16 months ago:
About the "security issue" on #VLC : VLC is not vulnerable.— VideoLAN (@videolan) July 24, 2019
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
The tweet thread also suggests CERT-Bund did not contact VideoLAN before making the public advisory, and that the media player's developers were not given a chance to clarify the above as a result.
59 Comments - Add comment