German IS-specialists have found a critical RCE-bug in VLC Media Player: there is no patch yet.

Specialists of the German CERT-Bund discovered a dangerous vulnerability in a popular media player that allows remote execution of arbitrary code.

The patch is already in development, but not ready yet.

It is reported that the problem poses a threat to the newest version of VLC Media Player (for Windows, Linux and UNIX) and received the identifier CVE-2019-13615.

It has been awarded a CVSS score of 9.8 out of 10.

“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files”, – warn in ESET company.

Vulnerability is of buffer overread type, and the bug root lies in the mkv :: demux_sys_t :: FreeUnused () function in modules / demux / mkv / demux.cpp triggered during a call from mkv :: Open in modules / demux / mkv / mkv .cpp.

Exploiting a vulnerability can lead not only to the execution of arbitrary code, but also to unauthorized disclosure of information, file changes and denial of service.

Read also: Following Chrome, Firefox will mark all HTTP-pages as “unsafe”

According to the bug report, the VideoLAN developers have been working on creating a patch for this problem for almost a month, but the fix is not ready yet. Judging by the status indicator, at present the patch is only 60% ready.

Currently, developers and researchers do not have information that attackers already exploit this vulnerability. However, unfortunately, after the publication of data about the bug, the situation can quickly change for the worse.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button