During the most recent months, multiple security flaws have been detected in the VLC Media Player, which have been reported in a timely manner to its developers. According to web application security specialists, one of the most prominent reports details critical vulnerabilities that could lead to high-risk scenarios in combination with other attack variants.
A recently published research conducted by a group of experts led by Antonio Morales of security firm Semmle has revealed the presence of at least 11 different security vulnerabilities in the VLC Media Player code. Experts publicly disclosed details about two of these eleven flaws, tracked as CVE-2019-14438 and CVE-2019-14533.
The first of these flaws is an out-of-bounds writing vulnerability present in the Ogg container format. According to the report, the CVE-2019-14438 vulnerability can be triggered by inserting specially designed headers that are not properly counted by the xiph_CountHeaders function. As a result, the total number of bytes that can be written is larger than expected, causing an overflow of previously allocated buffers.
Moreover, the CVE-2019-14533 flaw is a free-use error vulnerability that affects only ASF Container WMV and WMA files. The flaw causes dereference of previously released memory that leads to an expected flow disruption attack, mentioned in the report of web application security experts.
In addition, two other safety flaws in the media player have been reported, identified as CVE-2019-13602 and CVE-2019-13962. Although the Common Vulnerability Scoring System (CVSS) gave them scores of 8.8/10 and 8.9/10, VLC developers consider these estimates to be somewhat exaggerated.
VideoLAN, VCL’s developer company, has received 15 security reports in total; the flaws have already been addressed by the firm and users of this software have been invited to install the latest versions. In a security alert, the company ensures that threat actors could exploit any of these vulnerabilities using specially designed files. “These flaws are most likely capable of disrupting the operation of the media player, but it is possible for a hacker to take advantage of the vulnerabilities, combining them with waves of attack to cause the software to filter information from the media remote code”, mentioned the VideoLAN web application security team.
The 15 security flaws are completely corrected, as reported by VideoLAN when releasing VLC Media Player version 3.0.8. The company insists that it is critical for users to verify the version they are currently working with to install updates if necessary. In addition, VideoLAN also advises users to refrain from opening files of unknown origin to mitigate the risk of exploiting these failures.
According to web application security specialists from the International Institute of Cyber Security (IICS), the company had received multiple reports of vulnerabilities that turned out to be fake, so on subsequent occasions they have had to pay more attention to the different reports about computer errors they receive each week.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.