VideoLAN denies VLC Media Player has a major security flaw

Update: VideoLAN has denied its VLC media player has the reported security issue. VideoLAN tweeted: “VLC is not vulnerable … the issue is in a 3rd party library, called libeml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped”.

VideoLAN president and lead developer of the VLC media player Jean-Baptiste Kempf provided this comment to Trusted Reviews: “The issue is in a different library, and the issue was fixed more than 14months ago. All binaries version of VLC distributed by VideoLAN since 3.0.3 are safe for this issue”.

Original article follows

The popular VLC media player has a critical security flaw and its not yet been patched. A fix is currently being worked on by VLC’s parent company VideoLAN. A security advisory alert was issued for the vulnerability by German cybersecurity agency CERT-Bund.

The latest version of VLC media player (3.0.7.1) currently includes a security flaw which could allow a remote hacker to execute code, cause a denial-of-service condition, exfiltrate information and manipulate files on a users’ machine.

Related: Best free antivirus

According to ESET, the memory-corruption flaw may also be present in earlier version of the VLC media player. The problem affects Windows, Linux and Unix users of the program – MacOS users have dodged the issue.

The bug does not require interaction by the user or the escalation of privileges to be exploited – making it particularly dangerous. Thankfully, there are yet to be any reported cases of the security vulnerability being exploited. 

In the absence of a patch, the only way to avoid the problem at the moment is to avoid using the VLC media player. 

The security vulnerability is being viewed extremely seriously. The NIST National Vulnerability Database (NVD) has declared the flaw is critical and is ranked a 9.8 out of 10 on the Common Vulnerability Scoring (CVSS) scale. 

Related: Best VPNs

The NVD is a US government vulnerability database while the CVSS is a standard used for providing a numerical indication of bug severity.

VideoLan is yet to reveal a date for when a patch will be implemented. However, the issue is listed on the company’s bug tracker as a critical priority – with the listing being opened four weeks ago and at 60% completion.

A German publication named Heise Online has reported a specific .mp4 files may be required for the exploit to occur. However, security researchers or original discoverers of the bug CERT-Bund have not confirmed this to be the case.

Unlike other sites, we thoroughly review everything we recommend, using industry standard tests to evaluate products. We’ll always tell you what we find. We may get a commission if you buy via our price links. Tell us what you think – email the Editor