Germany’s national Computer Emergency Response Team (CERT Bund) has issued a security alert for a critical vulnerability in the VLC Media Player.
The memory corruption flaw, CVE-2019-13615, affects VLC 3.0.7.1 in Linux, UNIX, Windows and if exploited can allow an attacker to remotely execute arbitrary code, create a denial of service state, disclose information, or manipulate files, CERT Bund wrote.
There is no patch yet available, but ESET noted, “On the bright side, there are no known cases of the security hole being under active exploitation. Nevertheless, until the patch is shipped, perhaps the only workaround appears to be to refrain from using the player altogether.”
“I absolutely would not recommend that anyone access untrusted content with VLC due to the high risk of memory corruption vulnerabilities. In general, VLC does not have a good reputation in the security industry as they regularly will leave vulnerable pre-compiled executables for download despite having patched them in the latest source code.," said Craig Young, computer security researcher for Tripwire’s vulnerability and exposure research team (VERT).