14 DAY TRIAL // VideoLAN has recently released a new version of VLC Media Player that comes to resolve a critical security vulnerability that could eventually allow for remote code execution.
The update, which brings VLC to version 3.0.11 on Linux, Windows, and Mac, specifically targets the vulnerability documented in CVE-2020-13428 and which only affects the desktop client.
VideoLAN explains that a potential exploit can use a specifically crafted file which when launched with VLC Media Player can trigger a buffer overflow in the H26X packetizer.
In most of the cases, the whole thing would just cause the application to crash, which albeit isn’t something very convenient, is not really that dangerous. But on the other hand, VideoLAN warns that a more complex attack could actually lead to an RCE attack and a potential leak of user information.
Don’t open files or streams from untrusted sources
The good news is that no RCE attacks have been recorded so far, so it’s important to patch your devices as soon as possible.
“If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user,” VideoLAN explains.
“While these issues in themselves are most likely to just crash the player, we can't exclude that they could be combined to leak user informations [sic] or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed. We have not seen exploits performing code execution through these vulnerability [sic].”
Until the new version is installed, the best way to remain protected is to just avoid opening media files from sources you don’t trust. This essentially means that the crafted file won’t be launched in VLC, and without it, the buffer overflow can’t be triggered, regardless of the platform.