Posts: 881 +162
Identified as CVE-2019-13615, the vulnerability in the hugely popular VLC media player (version 220.127.116.11) was recently discovered by German security agency CERT-Bund and given a rating of 9.8 in the NIST's National Vulnerability Database.
Apparently, the flaw leaves billions of computers exposed to remote code execution (RCE) where hackers can get unauthorized access to install and execute malicious code and modify files/data on target machines and cause disruption through denial-of-service attacks.
Although the bug has been open at VideoLAN's end for the past four weeks, and the team is 60 percent through working on a fix, VLC developer Jean-Baptiste Kempf says the issue is not reproducible and doesn't crash a normal release of VLC 18.104.22.168, reports lifehacker, with Kempf making the following comments:
"This does not crash a normal release of VLC 22.214.171.124"
"If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources."
Twitter handle of the VideoLAN team also had a word with CVE on how the issue was reported publicly.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...— VideoLAN (@videolan) July 23, 2019
Did you even check this?— VideoLAN (@videolan) July 23, 2019
No one can reproduce this issue here.
Reportedly, the bug doesn't affect macOS users so they can continue using the software without any problems. Those on either Windows, Linux or Unix are advised to practice caution as things proceed because it's rather tricky to pick a side between the German Computer Emergency Response Team (CERT-Bund) who first brought the issue to light or VideoLAN, the non-profit organization behind the open-source media player.
In the meantime, the better approach is to temporarily retire the software until a patch becomes available, and use another alternative like KMPlayer, GOM Player or Media Player Classic. Though if you feel like it, you can download the proof-of-concept video from the original filer of the bug to see if it crashes your VLC installation (it didn't crash on my end) and decide for yourself.