Recently, numerous security vulnerabilities in VLC Media Player surfaced online after researchers found and reported them. These even include a critical security flaw. The vulnerabilities could also result in severe damages when combined with other bugs.
Prominent VLC Media Player Vulnerabilities
A researcher from Semmle security team found multiple security vulnerabilities in VLC Media Player. The researcher Antonio Morales Maldonado netted 11 different security flaws.
Talking about these vulnerabilities in a blog post, Semmle described two of the 11 security flaws in detail. These include CVE-2019-14438 and CVE-2019-14533. The first one is an out-of-bounds write vulnerability targeting Ogg container format. Describing this vulnerability, the blog post reads,
This vulnerability could be triggered by inserting specially crafted headers which are not correctly counted by the
xiph_CountHeaders
function. As a result, the total number of bytes that could be written is larger than expected, overflowing previously allocated buffers.
Whereas, the vulnerability CVE-2019-14533 is a use-after-free flaw affecting the ASF Container WMV and WMA files. Triggering the flaw only required a user to forward the video. Regarding this vulnerability, Semmle stated,
This bug is due to a not nulled pointer in
DemuxEnd
, which later, causes a dereferencing of previously freed memory (use-after-free read). This bug could allow an attacker to alter the expected application flow.
Furthermore, two other security researchers Hyeon-Ju Lee and Xinyu Liu reported the vulnerabilities CVE-2019-13602 and CVE-2019-13962 respectively. These vulnerabilities correspondingly attained a base score of 8.8 and 8.9, highlighting their severity. The VideoLAN team deems these base scores as ‘exaggerated’.
Besides, the vendors also mention about two other vulnerabilities reported by Scott Bell from Pulse Security in their advisory.
VideoLAN Patched The Flaws
In all, the VideoLAN team has addressed around 15 different security flaws, including the two pending CVE ID assignment. Describing the impact of the flaws in their advisory, VideoLAN stated that an attacker could easily exploit the flaws by using a maliciously crafted file. In turn, this could lead VLC to crash or allow for arbitrary code execution. Explaining the impact further, they stated,
While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likeliness of code execution, but maybe bypassed.
The vendors have patched all 15 security flaws with the release of VLC media player 3.0.8. The users must ensure updating their devices with the latest VLC Player version.
In addition, VideoLAN also advises the users to refrain from opening files from untrusted sources as a workaround.
Let us know your thoughts in the comments.