Vulnerabilities

Critical vulnerabilities found in VLC player, update as soon as possible

Two severe vulnerabilities in the popular open source multimedia player VLC have recently been corrected. According to experts in web security audit, one is a buffer overflow flaw and the other is an out-of-bond write vulnerability that had been corrected as part of a European Commission-funded bug bounty program.

In January, the European
Union
, in collaboration with HackerOne, financed 14 vulnerability
bounty programs, hoping to reinforce the security of open source projects used
by the institutions of the member countries.

Web security audit specialists say that further
details about these security flaws and their possible forms of exploitation are
still unknown; so far, it has only been revealed that the version of the media
player impacted is VLC 3.0.7, in addition to the code linked to the version 4.0
of VLC, next to be released.

Experts point out that the out-of-bond writing
vulnerability is not in VLC’s base code, but in the Faad2 library, a dependency
of VLC that has stopped receiving support. On the other hand, the buffer
overflow vulnerability is found in the code in version 4.0 of the tool, and
relates to the Reliable Internet Stream Transport (RIST) module of the player;
for now, only the beta version of VLC version 4.0 is available.

In addition to critical security flaws, 21
medium and 20 low-risk security vulnerabilities were corrected. Most
moderate-risk vulnerabilities are out-of-band read errors, stack overflows,
post-release use security issues, and more. 
“In specific scenarios these errors could interrupt the correct
functioning of VLC “, the experts in web security audits added.

Specialists from the International Institute of
Cyber Security (IICS) point out that most security errors were reported by a
HackerOne user identified as “Ele7enxxh”, who received a bounty of
about $13k USD.

Experts mention that VLC updates do not contain
significant changes beyond error fixes, although they urge users to install
them as soon as possible to mitigate any risk of exploitation.

To Top

Pin It on Pinterest

Share This