critical vulnerability found in VLC media player

[d3athf1sh]

not good it shows the attack complexity as low and on a scale of 1-10 it got a 9.8 (critical)

https://nvd.nist.gov/vuln/detail/CVE-2019-13615

 

[purple_monster]

security researcher not disclosing how they crashed it, video lan maintainers say they are unable to reproduce the crash and that this is "fake". as with anything just make sure your day to day windows login at home isnt admin, dont surf the web as admin... on top of that vlc isnt exactly internet-facing for home users so not sure how practical the unreleased method of exploitation is. with 99% of cves its academic.

 

[ChoGGi]

You can try it yourself, but the report does say Linux so... I can't get the mp4 to crash with v3.0.7.1

Interesting the mp4 tiltle is "[KAA] Kimi Ga Nozomu Eien - Ayu Mayu Theater 6 (for ep 13) #[email protected] www.kickassanime.tk" I see we've got a pirate arr.

 

[Armenius]

I haven't used VLC in, like, 7 years.

 

[sirmonkey1985]

it's not even an exploit, literally all it does is cause a memory leak til vlc crashes and there's a very specific setting change you have to make to cause it to happen that literally no one would ever change.

also here you go..

"Issue is too old libebml in Ubuntu 18.04: libebml 1.3.6 fixes this issue. End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago..."

and that's all folks..