VLC player has a critical flaw – and there's no patch yet (updated)

UPDATE (July 24th, 2019) The issue has taken a rather unexpected twist after the vulnerability was disclosed, with VideoLAN dismissing the bug reports and lambasting MITRE in the process. Minutes ago, the CVSS score was changed from 9.8 (critical) to 5.5 (medium severity) and a note was added to the effect that the "victim must voluntarily interact with attack mechanism". Below follows the original version of the article.

Germany's national Computer Emergency Response Team (CERT-Bund) has issued a security advisory to alert users of VLC media player of a severe vulnerability affecting this extremely popular open-source software.

“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” said CERT-Bund, which also discovered the security loophole.

The memory-corruption flaw is known to reside in the player’s latest release, 3.0.7.1, but may also be present in its earlier versions. It affects the program's Windows, Linux and UNIX versions and has earned a score of 4 out of 5 on the German agency’s severity scale.

Meanwhile, according to the NIST National Vulnerability Database (NVD), the bug is ‘critical’, having been ranked 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale. It is caused by a heap-based memory buffer over-read condition and falls within the CWE-119 identifier. No system privileges and no user interaction are said to be needed for successful exploitation of the vulnerability, which is tracked under CVE-2019-13615.

That said, German tech website Heise.de notes that the exploitation may require a specially crafted .mp4 file, although neither CERT-Bund nor NVD make mention of this.

Crucially, a patch has yet to be created, and the timing of its rollout is unclear. According to the bugtracker maintained by VLC’s developer, VideoLAN, work on the fix has been assigned the highest priority. As of the time of writing, the patch is said to be 60% complete.

On the bright side, there are no known cases of the security hole being under active exploitation. Nevertheless, until the patch is shipped, perhaps the only workaround appears to be to refrain from using the player altogether.

VLC media player boasts more than 3.1 billion installs across various operating systems and various release versions, but this is by no means equivalent to the number of affected systems.