VLC remains one of the most popular cross-platform media player in the world, which is why almost all PCs will have it. This makes the recent issue even more worrying as a newfound and potentially very serious security flaw was discovered that would enable hijackers to take control of your PC.
Discovered by German security agency CERT-Bund (via WinFuture), the new flaw in VLC (listed as CVE-2019-13615) has been given a base vulnerability score of 9.8, which classifies it as “critical.” This vulnerability enables RCE (remote code execution) which potentially allows bad actors attackers to install, modify, or run software without authorisation, and could also be used to disclose files on the host system. Translation: VLC’s security hole could allow hackers to hijack your computer and see your files.
Thankfully, no one had taken advantage of the flaw yet, but with WinFuture reporting that the Windows, Linux, and Unix versions of VLC are all affected (but not the macOS version), i's a huge number of potentially vulnerable systems out there. But as it turns out, this vulnerability may not be as vulnerable as it initially appeared. Based on a tweet, VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.
For now, the VLC CVE on the National Vulnerability Database has now been updated, downgrading the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium), with the change log also specifying that the “Victim must voluntarily interact with attack mechanism.”