What just happened? Given its popularity, there's a high chance that you have the VLC media player installed on your PC. Unless you're running macOS, your Windows, Linux or Unix machine is reportedly susceptible to being hacked remotely if it has the media player installed. Although no reports have yet emerged on the vulnerability being exploited, the VideoLAN team are still working on a patch. Interestingly, VideoLAN also says the issue isn't reproducible and that the normal release v126.96.36.199 doesn't crash because of the bug.
Identified as CVE-2019-13615, the vulnerability in the hugely popular VLC media player (version 188.8.131.52) was recently discovered by German security agency CERT-Bund and given a rating of 9.8 in the NIST's National Vulnerability Database.
Apparently, the flaw leaves billions of computers exposed to remote code execution (RCE) where hackers can get unauthorized access to install and execute malicious code and modify files/data on target machines and cause disruption through denial-of-service attacks.
Although the bug has been open at VideoLAN's end for the past four weeks, and the team is 60 percent through working on a fix, VLC developer Jean-Baptiste Kempf says the issue is not reproducible and doesn't crash a normal release of VLC 184.108.40.206, reports lifehacker, with Kempf making the following comments:
"This does not crash a normal release of VLC 220.127.116.11"
"If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources."
Twitter handle of the VideoLAN team also had a word with CVE on how the issue was reported publicly.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...— VideoLAN (@videolan) July 23, 2019
Did you even check this?— VideoLAN (@videolan) July 23, 2019
No one can reproduce this issue here.
Reportedly, the bug doesn't affect macOS users so they can continue using the software without any problems. Those on either Windows, Linux or Unix are advised to practice caution as things proceed because it's rather tricky to pick a side between the German Computer Emergency Response Team (CERT-Bund) who first brought the issue to light or VideoLAN, the non-profit organization behind the open-source media player.
In the meantime, the better approach is to temporarily retire the software until a patch becomes available, and use another alternative like KMPlayer, GOM Player or Media Player Classic. Though if you feel like it, you can download the proof-of-concept video from the original filer of the bug to see if it crashes your VLC installation (it didn't crash on my end) and decide for yourself.