VLC, the popular cross-platform media player, has reached version 3.0.8, which fixes over a dozen security vulnerabilities, some of which could be exploited by attackers to achieve code execution on victims’ machines.
VLC is an extremely popular piece of software that started as an academic project. It’s free and open-source and is available for Windows, macOS, Linux, Android, Chrome OS, iOS, Apple TV, and Windows Phone.
It is currently maintained by the VideoLAN non-profit organization, which took advantage of a bug bounty program set up and sponsored by EU’s Free and Open Source Software Audit (FOSSA 2) project.
The VLC bug bounty program has been concluded last week, but others sponsored by the European Commission are still open.
About the vulnerabilities
VLC 3.0.8 plugged 15 vulnerabilities found in its various demuxers and decoders.
Eleven flaws were discovered by Semmle researcher Antonio Morales Maldonado.
“The most critical issues fixed are use-after-free and OOB write vulnerabilities. They could each potentially be used by an attacker to execute code on the victim machine through a specially crafted file. Effectively allowing an attacker to take control of the computer,” the Semmle security research team explained.
“Three other less criticals bugs, such as div-by-zero, have also been reported, even though they don’t allow code execution. But we have thought it would also be convenient to report these bugs, allowing VLC team to fix them.”
The vulnerabilities can be exploited by delivering a specially crafted media files and tricking victims into opening them.
“If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user. While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed,” the VideoLAN team noted.
They have yet to see exploits performing code execution through these vulnerabilities but, nevertheless, users are advised to refrain “from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.”
Unfortunately, VLC is high on the list of applications for which updates are most frequently neglected.