Disclaimer: We may earn a commission if you make any purchase by clicking our links. Please see our detailed guide here.

Follow us on:

Google News
Whatsapp

VLC latest version contains security flaw that can compromise user machine

Bhaswati Sarkar
Bhaswati Sarkar
She likes to lose herself in music and daydreams quite often. Travelling excites her and photography is her passion- nature is her favorite subject. Writing is cathartic for her. A happy-go-lucky kind of person, she tries to remain calm and serene through daily life.

VLC is reportedly unfortified against remote-code execution which means that if the software opens a malicious video, there could be a possibility of the media player crashing, or of the tricky video running malware on the host machine.

The U.S. government’s National Institute of Standards and Technology (NIST) has registered a “critical” heap-based buffer overflow which is called CVE-2019-13615. The VLC software reportedly utilizes this in its latest official version (3.0.7.1). 

The NIST claimed that it is not improbable that a victim might be tricked into opening a booby-trapped video using VLC, which might trigger a coding complication and result in either a non-dangerous crashing of the software or a disagreeable situation involving the execution of some malign code.

This defect was detected in the Linux, Unix, and Windows builds of the VLC media player.

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp – NIST

Germany’s CERT has also interpreted this bug as dangerous and exploitable.

However, the developers of the widely popular VLC media player software, which is open-sourced, have disputed this claim, stressing that the possibilities of exploiting the programming blunder are next to zero.

VideoLAN lead developer Jean-Baptiste Kempf, while discussing the defect called ‘CVE-2019-13615’ in a bug-tracking ticket, observed that he was unable to recreate the crash using a proof-of-concept. MP4 video that was supposed to hinder the latest version of VLC. He even reported that he was unable to crash both the older version of the software and the ones that are currently work-in-progress.

Kempf – “This does not crash a normal release of VLC 3.0.7.1. Sorry, but this bug is not reproducible and does not crash VLC at all.”

If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources – Francois Cartegnie, VLC developer

Contradictorily, when the proof-of-concept. MP4 video was played on the VLC version 3.0.7 Vetinari (3.0.7-0-g86cee31099) on Linux, the technology news and opinion website, The Register, observed that the player crashed with a segmentation fault.

This seems to be at odds with Kempf’s statement that the bug in question “does not crash” the system and that “the bug is not reproducible“. It also raises the question of whether remote-code execution is possible or impossible.

There will soon be an update patch available for the VLC software so that users can regularly update it to keep their system safe.

The Latest

Partner With Us

Digital advertising offers a way for your business to reach out and make much-needed connections with your audience in a meaningful way. Advertising on Techgenyz will help you build brand awareness, increase website traffic, generate qualified leads, and grow your business.

Recommended