Don’t use VLC Media Player to watch movies from torrents & porn sites
During the most recent months, multiple security flaws have been detected in the VLC Media Player, which have been reported in a timely manner to its developers. According to web application security specialists, one of the most prominent reports details critical vulnerabilities that could lead to high-risk scenarios in combination with other attack variants.
A recently published research conducted by a group
of experts led by Antonio Morales of security firm Semmle has revealed the
presence of at least 11 different security vulnerabilities in the VLC
Media Player code. Experts publicly disclosed details about two of
these eleven flaws, tracked as CVE-2019-14438 and CVE-2019-14533.
The first of these flaws is an out-of-bounds writing vulnerability present in the Ogg container format. According to the report, the CVE-2019-14438 vulnerability can be triggered by inserting specially designed headers that are not properly counted by the xiph_CountHeaders function. As a result, the total number of bytes that can be written is larger than expected, causing an overflow of previously allocated buffers.
Moreover, the CVE-2019-14533 flaw is a free-use
error vulnerability that affects only ASF Container WMV and WMA files. The flaw
causes dereference of previously released memory that leads to an expected flow
disruption attack, mentioned in the report of web application security experts.
In addition, two other safety flaws in the
media player have been reported, identified as CVE-2019-13602 and
CVE-2019-13962. Although the Common Vulnerability Scoring System (CVSS) gave
them scores of 8.8/10 and 8.9/10, VLC developers consider these estimates to be
somewhat exaggerated.
VideoLAN, VCL’s developer company, has received
15 security reports in total; the flaws have already been addressed by the firm
and users of this software have been invited to install the latest versions. In
a security alert, the company ensures that threat actors could exploit any of
these vulnerabilities using specially designed files. “These flaws are
most likely capable of disrupting the operation of the media player, but it is
possible for a hacker to take advantage of the vulnerabilities, combining them
with waves of attack to cause the software to filter information from the media
remote code”, mentioned the VideoLAN web application security team.
The 15 security flaws are completely corrected,
as reported by VideoLAN when releasing VLC Media Player version 3.0.8. The
company insists that it is critical for users to verify the version they are
currently working with to install updates if necessary. In addition, VideoLAN
also advises users to refrain from opening files of unknown origin to mitigate
the risk of exploiting these failures.
According to web application security
specialists from the International Institute of Cyber Security (IICS), the
company had received multiple reports of vulnerabilities that turned out to be
fake, so on subsequent occasions they have had to pay more attention to the
different reports about computer errors they receive each week.
Gloss