GERMAN SECURITY AGENCY CERT-Bund has uncovered a critical flaw in VLC Media Player that could enable hackers to access and modify data on devices.
CERT-Bund has not yet observed the vulnerability being exploited in the wild by attackers, though exploits will almost certainly emerge in the coming days considering that the vulnerability is now in public domain. In addition, a fix has yet to be released.
The newly discovered flaw, indexed as CVE-2019-13615, exists in VLC Media Player version 126.96.36.199 - the newest release of the application. It is rated at 9.8 in NIST's National Vulnerability Database, making it a 'critical' vulnerability. The flaw enables remote code execution (RCE), unauthorised modification and disclosure of data/files and disruption of service.
"VideoLAN VLC media player 188.8.131.52 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp," the CVE report notes.
According to WinFuture, the issue exists in Windows, Linux and UNIX versions of the programme, while the macOS version appears seemingly unaffected.
VLC Media Player's developer, the non-profit organisation VideoLAN, is currently working on a patch that, it claims, is now 60 per cent complete. The company has been working on the fix for the past four weeks, according to the bug report by the company.
Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the programme. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and 10 rated low.
The first critical flaw, indexed as CVE-2019-12874, is an out-of-bounds write flaw in the decoder library of FAAD2 MPEG-4 and MPEG-2 AAC used by VLC 3.0.6 and earlier.
The second critical flaw, indexed as CVE-2019-5439, is a stack buffer overflow flaw. It exists in version 4.0.0 beta's Reliable Internet Stream Transport and could allow for RCE at the user's privilege level. µ
You no longer need to cut the cord off
Before they start shipping on 24 October
Another fine mesh
But, er, it'll be available in pink