Vulnerability with VLC Player 3.0.11 Let Attackers Execute Code Remotely

 VLC is a free and open-source cross-platform multimedia player and framework that plays most multimedia files as well as DVDs, Audio CDs, VCDs, and various streaming protocols without downloading any additional codecs.

VideoLan announces that multiple vulnerabilities in the VLC media player are being fixed. The affected versions: VLC media player 3.0.11 and earlier.

The Impact of the Attack

If the attack is successful, a remote user could create a specifically crafted file that could trigger some various issues, particularly, buffer overflows, and some invalid pointers being dereferenced.

In this scenario, a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user.

The organization stated that these issues in themselves are most likely to just crash the player and they could be merged to leak user information or remotely execute code. ASLR and DEP help reduce the likeliness of code execution but may be evaded.

“We have not seen exploits performing code execution through these vulnerabilities”, reads the advisory.

The exploitation of these issues requires the user to explicitly open a specially crafted file or stream.

Solution

VideoLan declares that VLC media player 3.0.12 addresses the issue.

The changes made between 3.0.12 and 3.0.12.1:

macOS:

• 3.0.12.1 is the first release for Apple Silicon macs
• Version bump to allow an automatic upgrade path

The changes made between 3.0.11.1 and 3.0.12  are as follows:

• Fixed adaptive’s handling of resolution settings
• Improve Bluray tracks support
• Improve WMV seeking and DASH support
• Fix crashes in AVI, MKV modules
• Fixes in the web interface, including privacy and security improvements
• Update YouTube and Vocaroo scripts
• Fix rotation filter mouse handling
• Update translations

The organization instructs that users should hold back from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied.