A critical vulnerability in the VLC media player has been identified, allowing attackers to execute malicious code on users’ computers. The vulnerability, detailed in the Security Bulletin VLC 3.0.21, affects versions 3.0.20 and earlier of the popular media player.
The issue arises from a potential integer overflow that can be triggered by a maliciously crafted MMS (Microsoft Media Server) stream, leading to a heap-based overflow.
This vulnerability could enable a malicious third party to cause VLC to crash or execute arbitrary code with the target user’s privileges.
While the primary consequence of exploiting this vulnerability is likely to be the VLC player crashing, it cannot be ruled out that it could be combined with other exploits to leak user information or execute code remotely.
Free Webinar on How to Protect Small Businesses Against Advanced Cyberthreats -> Free Registration
Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) help mitigate the risk of code execution, but these protections can potentially be bypassed.
Exploitation of this vulnerability requires the user to open a maliciously crafted MMS stream explicitly. Users are strongly advised to refrain from opening MMS streams from untrusted sources or to disable the VLC browser plugins until the patch is applied.
The VLC development team has addressed this issue in VLC Media Player version 3.0.21. Users are urged to update to this latest version to protect against the vulnerability. To update, users can follow these steps:
- Desktop Version:
- Open VLC Media Player.
- Go to “Help” > “Check for Updates.”
- Follow the prompts to download and install the latest version.
Andreas Fobian of Mantodea Security GmbH reported the vulnerability.
Given the potential severity of this vulnerability, VLC users must update their software to version 3.0.21 as soon as possible.
By taking this proactive step, users can significantly reduce the risk of falling victim to malicious attacks that could compromise their systems.
Update Now to ensure your VLC Media Player is secure and protected against this critical vulnerability.
Analyse Any Suspicious Links Using ANY.RUN’s New Safe Browsing Tool: Try It for Free