Categories: Insights

VLC latest version contains security flaw that can compromise user machine

VLC is reportedly unfortified against remote-code execution which means that if the software opens a malicious video, there could be a possibility of the media player crashing, or of the tricky video running malware on the host machine.

The U.S. government’s National Institute of Standards and Technology (NIST) has registered a “critical” heap-based buffer overflow which is called CVE-2019-13615. The VLC software reportedly utilizes this in its latest official version (3.0.7.1). 

The NIST claimed that it is not improbable that a victim might be tricked into opening a booby-trapped video using VLC, which might trigger a coding complication and result in either a non-dangerous crashing of the software or a disagreeable situation involving the execution of some malign code.

This defect was detected in the Linux, Unix, and Windows builds of the VLC media player.

VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp – NIST

Germany’s CERT has also interpreted this bug as dangerous and exploitable.

However, the developers of the widely popular VLC media player software, which is open-sourced, have disputed this claim, stressing that the possibilities of exploiting the programming blunder are next to zero.

VideoLAN lead developer Jean-Baptiste Kempf, while discussing the defect called ‘CVE-2019-13615’ in a bug-tracking ticket, observed that he was unable to recreate the crash using a proof-of-concept. MP4 video that was supposed to hinder the latest version of VLC. He even reported that he was unable to crash both the older version of the software and the ones that are currently work-in-progress.

Kempf – “This does not crash a normal release of VLC 3.0.7.1. Sorry, but this bug is not reproducible and does not crash VLC at all.”

If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources – Francois Cartegnie, VLC developer

Contradictorily, when the proof-of-concept. MP4 video was played on the VLC version 3.0.7 Vetinari (3.0.7-0-g86cee31099) on Linux, the technology news and opinion website, The Register, observed that the player crashed with a segmentation fault.

This seems to be at odds with Kempf’s statement that the bug in question “does not crash” the system and that “the bug is not reproducible“. It also raises the question of whether remote-code execution is possible or impossible.

There will soon be an update patch available for the VLC software so that users can regularly update it to keep their system safe.

Bhaswati Sarkar

She is a feminist pursuing a M.A. degree. She likes to lose herself in music and daydreams quite often. Travelling excites her and photography is her passion- nature is her favorite subject. Writing is cathartic for her. A happy-go-lucky kind of person, she tries to remain calm and serene through daily life.

Published by
Tags: NewsSoftware

Recent Posts

Consumer demand momentum for gold jewelry continued in Q1

Consumer demand for gold in India saw robust growth in the first quarter of calendar…

May 7, 2021

Covid crisis poses an economic risk in Q1 FY22; ‘muted impact’ likely: FinMin

As states take to lockdowns amid the severe Covid crisis, the Finance Ministry in a…

May 7, 2021

Traveling made simple: Organizing your bag

When you travel, one of the things you should always keep at the front of…

May 7, 2021

Covid-19 pandemic precaution causing hand dermatitis to 2/3rd population

More than two-thirds of people may now have hand dermatitis due to stringent hand washing…

May 7, 2021

Samsung rolls out support for Indian English with Bixby 3.0 update

To make it more friendly for the Indian users, South Korean tech giant Samsung Friday…

May 7, 2021

Tech giant Google is turning on two-factor authentication by default for users

To secure users from online security threats, Google is reportedly enabling two-factor authentication (2FA) on…

May 7, 2021