VLC is arguably one of the most popular software media players that people use for watching their totally legal home videos and personally ripped copies of their own Blu-rays. It’s also possibly got a massive security flaw – on every version, across every platform except macOS – that could allow attackers to install, modify and even run software without authorisation.
According to German security agency CERT-Bund, there’s a critical vulnerability (CVE-2019-13615) in the ubiquitous media player that’s yet to be patched. As said, it allows for RCE (Remote Code Execution) of unsigned code, along with using it to “disclose files on the host system.”
It doesn’t seem as if the vulnerability has been used by nefarious sorts yet, but given the software’s ubiquity, there’s a staggering a number of potentially unsecured systems.
Developer VideoLAN is aware of the issue – but they suggest that the flaw isn’t reproducible in the current version of VLC. They also suggest that at most, the issue causes a memory leak, which can then lead to poor performance.
Anyway, it seems a new patch is still quite far out. The attack vector appears to be a malformed video file in MKV format, which means that those most at risk are people download and playing unsavoury MKV videos from the internet. Because the patch is still a way out, the recommended solution right now is to just uninstall VLC and use something else in the meantime, or just not be daft enough to play MKV files you’ve torrented.
Last Updated: July 24, 2019