VLC - the popular open-source media player which recently clocked the 3 billion downloads milestone – is in the news again, but for the wrong reasons. A potentially serious security flaw has been discovered in the media player's PC version that leaves the door open for hackers to execute malicious code. The flaw in VLC can reportedly be exploited for launching a denial of service attack, corrupting files, stealing data, and do a lot more. However, there have been no reports so far of the flaw being exploited and a patch is currently under development.
The security flaw, which was reported by CERT-Bund, has been discovered in version 18.104.22.168 of VLC and currently has a NIST threat score of 9.8 out of 10, classifying it as critical. Labelled CVE-2019-13615 in the National Vulnerability Database, the latest VLC security flaw can be exploited by baiting users into playing a malicious MKV video file. Thus, while some reports urge users to uninstall VLC until the patch is rolled out, it's likely safe just not playing an untrusted MKV format file.
A report by The Register claims that a proof-of-concept video exploiting the vulnerability crashes the VLC media player. However, developer comments on the official VideoLAN bug tracking forum state that the VLC crash result cannot be reproduced in large, and is only functional when the ‘Loop One” feature is enabled on VLC's Windows version.
As for the risks, the flaw can be exploited by a malicious party to remotely execute a harmful code and do damage ranging from data theft to service disruption. So far, there have been no reports of the VLC security flaw being misused. Another thing to note here is that only Windows, UNIX, and Linux versions of VLC are affected by the vulnerability, and not its macOS client. VideoLAN said in a tweet that it was unhappy it wasn't contacted before the flaw was published by vulnerability trackers.
VideoLAN has acknowledged the issue and is currently working on a patch that is said to be 60 percent complete. Interestingly, the company behind VLC media player has denied that the bug can even be reproduced to crash VLC media player at all, and the same message has been relayed by a couple of VLC developers as well. However, we recommend readers to temporarily switch to another media player and come back to VLC after VideoLAN has released a patch to fix the security flaw.