Tech researchers recently discovered a critical vulnerability VLC Media Player which hackers can exploit. This security loophole can be used to plant malware in the computer where the media player is being used.
The security flaws on versions 3.0.6 and earlier of the software can enable hackers to load types of video files that can execute arbitrary code.
Symeon Paraschoudis, a researcher from Pen Test Partners, was able to identify the first high-severity vulnerability. He named it CVE-2019-12874, an MKV double free flaw.found in VideoLAN VLC player’s ”zlib_decompress_extra() (demux/mkv/utils.cpp)” function. Parsing a malformed mkv file type inside the Matroska demuxer can trigger the code.
A certain zhangyang from Hackerone discovered the second vulnerability. Identified as CVE-2019-5439, it is a buffer overflow vulnerability that stays in ReadFrame (demux/avi/avi.c). This flaw enables a remote user to develop specially crafted avi or mkv files. When loaded by the target user, the video files will activate a heap buffer overflow into the targeted system.
The researcher said a malicious third party could execute the malformed file in the targeted system. This action could trigger either a VLC crash or an arbitrary code execution with the target user’s privileges. A hacker can carry out his plan by tricking a target to open a seemingly unsuspicious video in VLC.
VideoLAN, the company that created VLC Media Player, has warned users to avoid opening suspicious videos in the software. In its advisory, it tells its users not to open files from untrusted third parties. It also urged users to refrain from accessing untrusted remote sites (or disable the VLC browser plugins).
The company said it would apply a patch soon.
VideoLAN also said it had patched the discovered vulnerabilities in the updated version 3.0.7. As such, it strongly recommends VLC users to upgrade to VLC 3.0.7 or later versions to avoid getting hacked.
Other Zero-Day Vulnerabilities
In the past few months, tech researchers have also been discovering several zero-day flaws in many commonly used services. Recently, experts found a zero-day flaw in Mozilla’s Firefox browser. Hackers actively exploit the vulnerability to target crypto exchange companies and their employees.
The vulnerability in the browser was named CVE-2019-11707. Samuel Groß, a Google Project Zero security researcher, and the Coinbase Security team were credited for the discovery.
Aside from the brief announcement from Mozilla, it offered nothing else, especially concerning the vulnerability. The company did not also advise its users of the ongoing attacks in cyberspace.