A serious vulnerability in VLC media player has been discovered, enabling attackers to execute harmful code on users’ devices. Highlighted in the Security Bulletin for VLC version 3.0.21, this flaw impacts versions 3.0.20 and earlier of the widely used media player.
The issue stems from a possible integer overflow that can be triggered by a malicious MMS (Microsoft Media Server) stream, leading to a heap-based overflow. This vulnerability could allow a malicious actor to crash VLC or execute arbitrary code with the user’s privileges.
While the most immediate effect of this exploitation is likely to be a crash of the VLC player, it could potentially be exploited in conjunction with other vulnerabilities to leak user data or execute code remotely. Although Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) provide some mitigation against code execution, these safeguards could be circumvented.
To exploit this vulnerability, the user must explicitly open a malicious MMS stream. Users are strongly urged to avoid opening MMS streams from untrusted sources and to disable VLC browser plugins until a patch is applied.
The VLC development team has resolved this issue in VLC Media Player version 3.0.21, and users are encouraged to upgrade to this latest version for protection against the vulnerability. To update, users can follow these steps:
Desktop Version
- Open VLC Media Player.
- Navigate to “Help” > “Check for Updates.”
- Follow the prompts to download and install the latest version.
Reported by Andreas Fobian of Mantodea Security GmbH, this vulnerability’s potential severity makes it crucial for VLC users to upgrade to version 3.0.21 immediately.
By taking this essential step, users can greatly decrease the risk of malicious attacks that could compromise their systems. Update now to secure your VLC Media Player against this critical vulnerability.