Information security

VLC Media Player is vulnerable

A specially crafted MMS stream can cause the VLC player to crash. According to VideoLAN, it is also potentially possible to execute malicious code.

There is a vulnerability in the widely used and free media player software VLC Media Player that allows attackers to crash the software and potentially even execute malicious code. According to a security bulletin from the developer VideoLAN, this is a DoS (Denial of Service) vulnerability based on a heap-based integer overflow.

The vulnerability can be exploited through a specially crafted MMS (Microsoft Media Server) stream that must be actively opened by the user in VLC. "If successful, a malicious third party could trigger either a crash of VLC or arbitrary code execution with the rights of the target user," explains the developer of the software.

VideoLAN assumes that exploitation of the vulnerability will most likely only lead to a crash of the software. Nevertheless, it cannot be ruled out that an attacker could use it to access user information or remotely execute arbitrary code (RCE), according to the bulletin.

Although ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) help to "reduce the probability of code execution, they can be circumvented", according to the developer.

A patch is available

All VLC versions up to and including 3.0.20 are vulnerable. Details on how the vulnerability can be exploited are not yet known. VideoLAN does not provide a CVE number or classification of the severity of the vulnerability. However, the developer emphasizes that he has not yet seen any exploits that would allow malicious code to be executed.

Anyone wishing to protect themselves against possible attacks can do so by updating the software. According to VideoLAN, the problem has been fixed with the recently released version 3.0.21 of VLC Media Player. All those who have not yet installed the update are advised to avoid opening MMS streams from untrusted sources until the software has been updated.

VideoLAN names Andreas Fobian from the German IT security service provider Mantodea Security GmbH as the discoverer of the vulnerability.

Found on https://www.golem.de/news/sicherheitsluecke-der-vlc-media-player-ist-angreifbar-2406-186018.html