German security agency CERT – Bund has just issued a warning to almost all VLC media player users. According to the warning, the agency has just discovered a serious security issue in the latest version of VLC. The agency classified the problem as “critical” with “High” level 4 risk assessment while informing its subscribers about the issue. It also clarified that the latest VLC 220.127.116.11 on Windows, Linux, and UNIX platforms are vulnerable to the flaw. This means that macOS users don’t have to worry as they are safe.
A report by WinFuture revealed that no current exploits have been reported in the real world. CERT has also code-named the issue as CVE-2019-13615 providing more details about the issue. This flaw is said to allow hackers to remotely attack your system. In addition to German CERT, NIST from the United States has also issued a similar warning. Hackers can also run random arbitrary code on your system without your permission as part of the hack. They can send you a special video file that can either result in the app crashing or the hidden code running on your system.
VLC developer responds
Some reports online have asked VLC media player users to uninstall the program and look for alternatives. VideoLAN, the company behind VLC has also issued a statement regarding the reports about the security issue. First up, they know about it and are currently working to fix the problem. However, the second thing about this is not what one would expect in most situations. According to the tweet that VideoLAN sent out, it appears that the developer is not happy about the entire thing.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019
VideoLAN claims that the issue is not as severe as most reports are trying to make it. Jean-Baptiste Kempf, the lead developer at VideoLAN revealed that nobody was able to reproduce the issue. Kempf tried to reproduce this issue on older 3.0.6 version, the current 18.104.22.168 version and the upcoming 3.0.8 version. However, The Register confirmed that they were able to crash the version 3.0.7 on Linux. VideoLAN has not provided any additional details about the matter right now. Unlike other publications, we are not asking you to uninstall the program from your machine. Instead, try using other media players until VideoLAN issues a new update.