![]() This attack can only be triggered with user interaction: the user has to either download a malicious file or open a stream that is streaming said files,” Trowell said.Īs a result, a malicious actor would be dependent on the user searching out and opening a corrupted file. “There are not a lot of people who are playing random videos they get off the internet as the root/admin user on their computers. Also, this attack doesn’t give an attacker any extra privileges. “It’s easy to make a corrupted stream, but the trick is getting a user to play it. Using the CVSS 2.0 scale, this vulnerability ranks as a 7.5,” Trowell said.īecause the user has to voluntarily interact with the attack mechanism, Trowell said the attacker can’t initiate. While the issue is serious, using the CVSS 3.0 standard to rate the severity of a vulnerability can be a bit misleading as issues tend to rank higher than in version 2. “There have been four recent vulnerabilities disclosed that are loosely related to the same area of code. This isn’t the only VLC issue disclosed this month, according to Larry Trowell, principal consultant at Synopsys. According to NIST’s National Vulnerability Database, the vulnerability CVE-2019-13615 in the media player “has a heap-based buffer over-read.” If exploited, an attacker could gain remote access and potentially disclose information, manipulate files or create a denial-of-service state. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT). “Video players are a frequent target for file format exploits due to the inherent complexity of parsing multimedia files.” I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. ![]() ![]() “This is just one in a long and constant stream of flaws in VLC. The latest edition of nonprofit VideoLAN’s VLC media player software has what Germany agency CERT-Bund is calling a serious security flaw that allows hackers to install and run software without user knowledge, according to NewsX.
0 Comments
Leave a Reply. |