Because of its free and open-source nature, VLC is one of, if not the most popular cross-platform media player in the world. Unfortunately, a newfound and potentially very serious security flaw discovered in VLC means you might want to uninstall it until the folks at the VideoLAN Project can patch the flaw.
Discovered by German security agency CERT-Bund (via WinFuture), a new flaw in VLC (listed as CVE-2019-13615) that has been given a base vulnerability score of 9.8, which classifies it as “critical.”
The vulnerability allows for RCE (remote code execution) which potentially allows bad actors attackers to install, modify, or run software without authorization, and could also be used to disclose files on the host system. Translation: VLC’s security hole could allow hackers to hijack your computer and see your files.
Thankfully, it seems no one has taken advantage of the flaw yet, but with WinFuture reporting that the Windows, Linux, and Unix versions of VLC are all affected (but not the macOS version), there’s a huge number of potentially vulnerable systems out there.
VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete. Sadly, that means while people are waiting for a fix, your only recourse to protect yourself from the flaw is to uninstall VLC and switch to an alternative like KMPlayer or Media Player Classic.
Or you could take the chance that no one tries to hack you while you wait for a fix. But either way, you’ve been warned.
[Update 8:35 AM] Based on a tweet by VideoLAN, VLC may not be as vulnerable as it initially appeared. VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.
We have reached out to both companies for more info on what happened regarding the initial CVE, and will update the story if we hear back.
[Update 10:30 AM] The VLC CVE on the National Vulnerability Database has now been updated, downgrading the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium), with the change log also specifying that the “Victim must voluntarily interact with attack mechanism.”
Additionally, VideoLAN’s public bug tracker now lists the bug report as “fixed” and has closed the thread.
[Update 2 2:00 PM] When asked about its role in reporting the VLC vulnerability to the NVD, a Mitre spokesperson said “CVE entries are updated as a matter of routine as new information is reported to the CVE Program. In this specific case, the CVE entry was updated as additional information became available. If VideoLAN, or any member of the community has additional information regarding a CVE entry, we encourage them to report it to us at https://cveform.mitre.org/.”
Furthermore, regarding the CVE listing which originally received a “critical” rating, Mitre says that the “National Vulnerability Database (NVD), operated by the National Institute of Standards and Technology (NIST), is responsible for assigning CVSS scores,” and that Mitre “defers to the NVD to address any questions related to CVSS scoring.”