Vulnerabilities that allow PC hijacking to be found in the universal media player 'VLC'



The free software

VLC media player has been downloaded more than 3 billion times since it can play media files of most formats and operates easily, and it has been used worldwide. Such a VLC media player has been discovered to be vulnerable to remote code execution when playing movies.

Kurzinfo CB-K19 / 0634
https://www.cert-bund.de/advisoryshort/CB-K19-0634

NVD-CVE-2019-13615
https://nvd.nist.gov/vuln/detail/CVE-2019-13615

Vorsicht: Kritische Schwachstelle in aktueller Version des VLC Media Player | heise online
https://www.heise.de/security/meldung/Vorsicht-Kritische-Schwachstelle-in-aktueller-Version-von-VLC-Media-Player-4475712.html

CERT warnt vor kritischer Schwachstelle im neuesten VLC Media Player-WinFuture.de
https://winfuture.de/news, 110171.html

VLC Media Player Plagued By Unpatched Critical RCE Flaw | Threatpost
https://threatpost.com/vlc-media-player-plagued-by-unpatched-critical-rce-flaw/146611/

'Critical' Security Flaw Discovered in VLC Media Player
https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101

The Emergency Response Team CERT-Bund of the Federal Electronic Information Security Agency (BSI), a security department of the German Federal Government, on July 19th, 2019, 'VLC media players remotely execute arbitrary code and manipulate files A vulnerability has been discovered that could be exploited. '

The vulnerability information database managed by the National Institute of Standards and Technology (NIST) has a vulnerability score of 9.8 out of 10, which is a fairly serious issue.

The vulnerability is said to be VLC media player for Windows version, Linux version and UNIX version, and the version is 'VLC 3.0.7.1' which is the latest version as of the article writing. So far, no problems have been found in the macOS version.



As of the article writing, there is no released version that fixes the problem. The developers are aware of this problem and have already started to create a patch, but the degree of completion is about 60% when updated on July 21, 2019, and the prospect of the release date is standing There is no pattern.

The attack marked with the vulnerability, crafted MP4 that of the format of the media file is used, GIZMODO , the patch is to uninstall the VLC media player until it is released, an alternative We recommend using a media player .

The good news is that at the time of writing, no attack exploiting this vulnerability has been identified.

・ Continuing
'Vulnerable for VLC media players' is a false alarm, and the original VideoLAN makes a statement-GIGAZINE

Related Posts:

in Software,   Security, Posted by log1l_ks