VLC Media Player Fixes Critical Buffer Overflow RCE Bug
- VLC has published a new bug-fixing version, and people are advised to apply it urgently.
- The flaw may result in remote code execution, information disclosure, and program crashing.
- Attackers will use specially crafted media files to trigger the bug, so users who can’t upgrade should just limit themselves to opening personal files.
Users of the VLC (Video Lan Client) media player, one of the most widely used, powerful, and versatile media players out there, are advised to apply the latest available update, which fixes a nasty bug. Carrying the identifier CVE-2020-13428, this vulnerability allows a malicious remote actor to either crash the media player or carry out arbitrary code execution with the privileged of the victimized user. When combined with additional exploitation scenarios and methods, this RCE flaw can potentially result in the leaking of user information. However, the VLC team believes the most likely event remains to crash the player.
Maybe crashing VLC doesn’t sound like an overly troublesome occurrence. Still, many professionals are using the software to stream and broadcast media on the web, so crashing it isn’t merely a hiccup for everyone out there. The flaw affects all versions from 3.0.10 and earlier, so users are advised to upgrade to version 3.0.11 or later as soon as possible. If that’s not an option for any reason, you may refrain from opening files that come from unknown or untrustworthy sources, or disable the VLC browser plugins until you have updated the software. That is because the attacker would craft a special file that triggers the buffer overflow in the software’s H26X packetizer, and so avoiding to open anything other than what’s already on your disks should be enough.
Other notable fixes that landed with version 3.0.11 include the following:
- Fixes HLS regressions
- Fixes a potential crash on startup on macOS
- Fixes imprecise seeking in m4a files
- Fixes resampling on Android
- Fixes a crash when listing Bluray mount points on macOS
- Avoid unnecessary permission warnings on macOS
- Fixes permanent silence on macOS after pausing playback
- Fixes AAC playback regression
- Bumps some dependencies, notably libarchive, following the publication of CVE-2020-9308 and CVE-2019-19221
The branch of the third major version of the VLC is approaching its end, as the long-awaited VLC 4.0 has been in preparation for more than a year now. Of course, you can only test it out in the form of a nightly build, so it’s not considered stable or fit for critical deployment. This new version will bring a brand new and more modern user interface, support for virtual reality content, and a rich set of optimizations.