VLC security flaw

Update: VideoLAN tweets that VLC is no more vulnerable as the issue had been fixed more than 16 months ago. So, as users, all you need to do is update the application to its latest version.

VLC is the go-to media player software for Windows and it has a fair share of downloads on the Android and iOS mobile platforms. So, your PC or phone might also have it installed. A German security agency has discovered a potentially critical flaw. The attack is alleged to start by playing a malicious MKV video file. Attackers can then apparently hijack your device and access the files.

The VLC security flaw: What does it mean?

VLC security flaw

VLC is a popular open-source media player from a french company called VideoLAN. It recently crossed 3 billion downloads, which in itself is a testament to its fame. However, now the application is blamed with a “critical” vulnerability score of 9.8 out of 10 by CERT-Bund, the aforementioned German security agency. It is published in and as CVE-2019-13615.

ALSO READ: Netflix Mobile-Only Plan for India launched at Rs. 199 per Month: How is it different from the basic plan?

If you’re wondering, the issue is in the PC (Windows, Unix, and Linux) version, which opens a backdoor for hackers to push malicious attack. This is called Remote Code Execution, which could result in a DDoS (denial of service) attack, file corruption, data theft, and more.

VLC users (PC): What can you do?

VLC security flaw
Source: VideoLAN

You’re advised to stay away from malformed MKV files from the internet, until the alleged flaw is patched and we are sure of no problems, whatsoever. First of all, don’t download from any shady websites. And even if something gets flushed into your Downloads folder, don’t run it. A pro tip would be to avoid pirate videos (especially MKV format) from Torrents and other such sources.

ALSO READ: Realme X FAQ – All Questions Answered

Further, you should always keep all software (VLC included) up-to-date. Ensure, VLC is updated with its latest libraries. Or you may try VLC alternatives like KMPlayer or Media Player Classic. That’s all for now.

What is VLC’s response?

The Good News is the problem isn’t yet exploited. VLC is also aware of the situation and is working around a patch. The patch is reportedly 60-percent ready. But until then many systems are vulnerable.

The VLC developers claim the issue isn’t as serious as stressed by the security agency and some sites out in the web. It tweets as follows –

It further bashes the MITREcorp and CVEnew for disregarding their disclosure guidelines, which states as follows:

Contact the affected product vendor directly

You should make a good faith effort to notify the affected vendor and work with them to ensure that a patch is available prior to publicly disclosing the vulnerability. Information is more accurate and complete when researchers and vendors work together. This practice also reduces the likelihood of a duplicate CVE ID being issued, which can happen when both a researcher and vendor request CVE IDs.

Source: cve.mitre.org

VLC even highlights a reproduction problem with the original exploit report.

We will keep you posted on this topic. You may bookmark this article for further reference. Share it within your social circle to inform your folks.


Please enter your comment!
Please enter your name here