If you have VLC media player on your computer, you must immediately upgrade to its latest version, 3.0.7 and above. There are two new exploits that are allowing hackers to use the vulnerable older versions of VLC to crash your system and remotely execute their codes.
The modus operandi is very typical. After you unsuspectingly download an AVI or MKV attack file, it will give the hackers full control of your computer whenever you play a video on VLC. These attack files can originate from video torrents as well as Facebook, Twitter or Instagram.
Sound dangerous? Well, it is since VideoLAN, the parent organization of VLC, has issued a warning on this matter. For the past few days I have been noticing update requests every time I open the VLC media player. Warning: Do not use this product anymore until you have installed its latest update, 3.0.7.
What Really Happened?
Sometime this month, security researchers at Pen Test Partners developed a new exploit that targets older VLC versions, including 3.0.6. They call it “CVE-2019-12874,” which uses fuzzing to create invalid or random data.
Basically, VLC is a complex software that uses a large number of third-party libraries contributed by open source developers. One of these functions, called “demux/mkv,” resides in ReadFrames, which can run from the background of a VLC file in “Simple Preferences.” This property of your VLC is vulnerable to the new attack vector.
Once the attack file downloads to your system, you will see VLC playing for five seconds, exiting and then looping over the videos one by one.
The crashes are never ending. According to Pen Test partners, they did 1 million executions of this exploit so far and there were 1547 crashes Within those executions. However, it was enough to make it to the NIST advisory. So far, many of the hundreds of millions of VLC media users are not aware of this threat.
Apart from the above remote crash exploit, another buffer overflow vulnerability, identified as CVE-2019-5439, was disclosed on June 12, 2019. It is also using ReadFrame function of VLC to prompt the target user to download a specially created AVI or MKV file. The successful buffer overflow can trigger a crash or make the system remotely exploitable by hackers.
How Does the Latest VLC Media Player Address These Problems?
According to VLC’s latest release update, the version 3.0.7 patches the problems by fixing buffer overflows for a number of file extensions. This includes MP4, MKV, AVI and NSC. It also stops the infinite loop from running when an invalid item is playing.
Despite the patch availability, both bugs, CVE-2019-5439 and CVE-2019-12874, are currently awaiting reanalysis by security researchers. However, you should at least download the latest VLC version from “Help/Check for Updates.” The download is automatic.
Once done, you should upgrade VLC from its previous settings.
Make sure from time to time that you have the latest download version, as new bugs can strike in the future, and you may not be aware of it. Also, do not open any untrustworthy files on VLC for now or in the future.
Alternatives to VLC Media Player
If you feel that VLC media player is no longer worth taking a risk, you might want to consider the alternatives. These include KM Player, Microsoft Photos, DivX, and Windows Media Player. All of them can be made to run the latest h.265 codecs and are excellent for HD and full HD videos.
Did you already notice this latest hacking vulnerability in VLC media player? Or are you reading about it for the very first time? What is your favorite media player? Let us know in the comments if you faced issues with VLC or other media players in the past.
Image credit: Homepage of VideoLan website on the display of PC, url by DepositPhotos