VLC Media Player Plagued By Unpatched Critical RCE Flaw

[silversurfer]

The VLC open-source media player has a critical-severity bug that could enable remote code execution and other malicious actions. Worse, there is no patch to patch the vulnerability.
 
The VLC media player, developed by the VideoLAN project, is used by more than 3.1 billion users. The vulnerability (CVE-2019-13615) exists in the Windows, Linux and UNIX versions of VLC 3.0.7.1 (the latest version of the media player).
 
“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” according to a release by German security agency CERT-Bund posted over the weekend.  CERT-Bund discovered the vulnerability.
 
According to NIST, the bug ranks 9.8 out of 10 on the CVSS 3.0 scale, making it critical severity. Despite the level of severity, no patch is currently available for the vulnerability. VideoLAN did not respond to a request for comment from Threatpost.
 
According to VideoLAN, current work is being done to create a patch, which is about 60 percent complete. That said, no exploitation of the vulnerability has been observed yet, according to CERT-Bund.

SOURCE: https://threatpost.com/vlc-media-player-...aw/146611/

[silversurfer]

Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability!

A recent security alert caused a panic where people thought the VLC Media Player was affected by a critical vulnerability that had no patch. The problem is that the vulnerability was not in VLC, but rather a module that was replaced over 16 months ago.

Continue reading here: https://www.bleepingcomputer.com/news/se...erability/