The Federal Office for Information Security (BSI) and the Computer Emergency Response Team (CERT) warn against a critical vulnerability in the VLC Media Player and grade it with the risk assessment “High” (Level 4). The federal agency recommends users to look for an alternative media player.
Current version with high risk potential for remote attacks
The BSI prepares and publishes preventive action recommendations for avoiding damage and now warns of a critical vulnerability in the current version 220.127.116.11 of the popular open source media player. According to the federal agency, there is a high risk potential for remote attacks in which anonymous attackers can execute arbitrary code on the compromised system. The vulnerability affects systems running Microsoft Windows, Unix, and Linux distributions.
A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.
The US government is also warning of the threat in the National Vulnerability Database (NVD), its vulnerability catalog. The report also shows that the complexity of an attack is comparatively low and that a potential attacker does not need special access rights. She also classifies the vulnerability with a rating of 9.8 as critical.
No security update announced
So far, VideoLAN, the nonprofit organization behind VLC Media Player, has not announced a security update yet. Since the version number 3.0.6 (and older) was already vulnerable to malicious code, the authority recommends users to switch to another media player for the time being. However, nothing is known yet about an active attack on VLC 18.104.22.168.
Update 21.07.2019 10:06 clock