Security flaws that allowed hackers to exploit remote code execution fixed in VLC Media Player 3.0.11 update
The VLC media player is a free and open-source portable cross-platform media player software and streaming media server developed by the VideoLAN project. It is available for desktop operating systems and mobile platforms, such as Android, iOS, iPadOS, Tizen, Windows 10 Mobile, and Windows Phone. The media player is also available on digital distribution platforms such as Apple’s App Store, Google Play, and Microsoft Store.
VLC supports many audio and video compression methods and file formats, including DVD-Video, video CD, and streaming protocols. It is able to stream media over computer networks and to transcode multimedia files.
Researchers found a serious security flaw in the VLC Media Player that could allow hackers to exploit RCE(Remote Code Execution). As soon as the flaw was discovered the experts have informed the company and said to fix it. The VideoLan has now released VLC Media Player 3.0.11, and it is now available for Windows, Mac, and Linux.
In addition to bug fixes and improvements, this release also fixes a security vulnerability that could allow attackers to remotely execute commands or crash VLC on a vulnerable computer. This vulnerability is tracked as CVE-2020-13428 and is a “buffer overflow in VLC’s H26X packetizer” that would allow attackers to execute commands under the same security level as the user if properly exploited.
According to VideoLan Security Bulletin, the attacker could create a specifically crafted file that could trigger a buffer overflow in VLC’s H26X packetizer. If successful, a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user information or remotely execute code. ASLR and DEP help reduce the likeliness of code execution but may be bypassed.
However, the company said that they have not seen exploits performing code execution through these vulnerabilities. You can check the changelog of the latest version below:
Fixes HLS regressions
Fixes a potential crash on startup on macOS
Fixes imprecise seeking in m4a files
Fixes resampling on Android
Fixes a crash when listing bluray mountpoints on macOS
Avoid unnecessary permission warnings on macOS
Fixes permanent silence on macOS after pausing playback
Fixes AAC playback regression
And a security issue
The company later says it is strongly advised that all users download and install version 3.0.11 to avoid the exploits that could suffer you a data loss. For more news on tech and cybersecurity stay tuned at Android Rookies by subscribing to our newsletter from here