VLC Media Player Patches Two Vulnerabilities: Users Urged to Update Immediately
Videolan, the organization behind the popular VLC media player, has released urgent security updates to address two critical vulnerabilities that could expose users to serious risks. The flaws, discovered in both the desktop and mobile versions of VLC, could allow attackers to crash the application, execute malicious code, or even gain unauthorized access to user data.
Desktop Vulnerability: Malicious MMS Streams
The first vulnerability, affecting the VLC media player before version 3.0.21, involves the handling of maliciously crafted MMS (Multimedia Messaging Service) streams. An attacker could exploit this flaw by sending a specially crafted MMS stream to a targeted user. If successful, the attack could result in a denial-of-service (DoS) condition, crashing the VLC player. More alarmingly, in certain scenarios, the attacker could potentially execute arbitrary code with the privileges of the targeted user, giving them control over the victim’s computer.
While Videolan states that they have not observed any exploits of this vulnerability in the wild, the potential for significant harm is high. Users are strongly advised to update to VLC media player version 3.0.21 or later immediately to mitigate this risk.
Mobile Vulnerability: Path Traversal via WiFi File Sharing
The second vulnerability affects VLC for iOS version 3.5.9 and earlier. This flaw resides in the WiFi File Sharing feature, allowing malicious actors on the same local network to upload arbitrary data to hidden storage locations within the app.
Although the attacker cannot directly read or modify data outside of the app’s container, this vulnerability could still be used to launch a DoS attack by filling up the device’s storage. The tvOS version of VLC is not affected.
Users of VLC for iOS are urged to update to version 3.5.9 or later and to avoid using the WiFi File Sharing feature on untrusted networks.
Mitigation and Workarounds
In addition to updating to the latest versions, Videolan recommends the following workarounds until patches are applied:
- Desktop: Refrain from opening MMS streams from untrusted sources or disable VLC browser plugins.
- Mobile: Avoid enabling WiFi File Sharing on networks with potential malicious actors.