Contents:
VideoLan Player, one of the most popular and ‘modable’ open-source video players, may be prone to backdoor attacks. A company release note stated that the flaw, coined CVE-2019-13615, allowed malicious remote code execution on the machine. This, in turn, would grant cybercriminals rights to download, install, write, and rename software without authorization. VLC set on to address the issue but disclosed that the patch is about 60% complete.
Deconstructing VLC’s CVE-2019-13615
Initially flagged by CERT-Bund on July the 19th, the VLC flaw, known by its technical name of CVE-2019-13615, received a 9.8 vulnerability score. This translates to a critical, zero-day flaw. However, upon closer inspection, VLC’s debug team traced the flaw to a defective library, managed by a third-party.
The library in question, called Libebml was found to contain a vulnerability which potentially allowed malicious actors to run code in the background. CERT-Bund analysis revealed that the backdoor agent would have allowed anyone to write/read memory, inject code, deactivate AV software, and steal data without the user being aware of the intrusion.
VLC later invalidated CERT-Bund’s appraisal, saying that the issue isn’t that critical. Interestingly enough, the library found to be responsible for the flaw received a fix approximately a year ago. With VLC’s ad-libs, the bug’s been downgraded from 9.8 to 5.5, which translates to “medium” on the vulnerability scale.
MITRE’s description of the VLC flaw reads:
VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
To be able to exploit this defect, the malicious agent would to craft a .mp4 file. Upon decoding, the file would have injected code in the system, leading to denial-of-access or complete data loss.
How to deal with the VLC Flaw
Unfortunately, VLC is still far behind on delivering a fix for the CVE-2019-13615 issue. Per the company’s statement, the patch is about 60 percent complete, but no development timeline has been posted so far. In the meantime, VLC advises its customers to use as many security layers as possible and to uninstall the product until the patch is released.
Now, if you really want to buck up on your cybersecurity, you could also try these tips:
1. Don’t download and open videos from untrusted sources
VLC is, without a doubt, one of the most ‘abused’ open-source players. There’s a perfectly good reason why so many choose VLC over BSPLayer or other video decoders: it’s light, runs on almost every platform, and can play any video extension. However, VLC is quite appreciated by people who pirate content instead of paying for it. My advice to you: stick with original content and stream whenever you can. By downloading and playing a .mp4 or .mkv from an untrusted source like Pirate Bay, you risk triggering the VLC flaw.
2. Patch any outdated software
Over 80% of malware infiltrations occur due to outdated or unpatched software. Of course, you can always try to manually patch every bit of software you have on your device. However,that will take a very long time since you would have to actually seek out the outdated apps and compare versions. Yes, that will be a nuisance, but there’s actually a quicker way to do that – AV solutions like Heimdal™ Free feature automatic software patching engine that scans your PC and updates all your favorite apps.
3. Seek an alternative video player
Another way to ensure that malware doesn’t seep into your machine due to the VLC flaw is to delete the software altogether and to use a different player. There are tons of open-source video players like VLC on the web – KM Player, GOM Player, DivX, RealPlayer, XBMC Media Player, just to name a few. If you plan on uninstalling VLC, don’t forget to use a tool like CCleaner to get rid of any residue hiding in the registry.
4. Use a Mac instead of Windows or Android
I know that it sounds a little off, but according to VLC, the bug’s confined to Windows, Linux, and Android. So, if you want to watch your favorite videos without having to worry about malware, use a Mac. You don’t need to make the switch for good; just until the infection’s contained.
Wrap-up
What we know so far is that the very same 3rd party library which VLC ‘fixed’ 16 months ago appears to be backfiring. VLC promised a patch, but it’s still pretty far behind on actually delivering it. The only true fix offered so far is to uninstall VLC and to wipe-clean the system’s registry to deal with any residues.
UPDATE: A couple of hours ago, VLC updated its bug tracker, listing the flaw as ‘fixed’.
seriously?
Did you guys not keep yourself updated on the “issue”?
Hi there! Thanks for pointing out the mistake. I’ve updated the article to mirror the latest changes. Cheers!