Posted on Monday, July 22 2019 @ 12:30 CEST by Thomas De Maesschalck
False alarm, the VLC developers reveal on Twitter that the vulnerability recently "found" in the media player no longer exists. The tweet mentions this was a flaw in a third-party library, and that it got fixed 16 months ago. Furthermore, VLC is safe since version 3.0.3.
About the "security issue" on #VLC : VLC is not vulnerable.
— VideoLAN (@videolan) 24 juli 2019
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
Thread:
If you use VLC Media Player, be aware that the media player suffers from a security vulnerability that could allow remote code execution. By using a specially crafted MP4 media file, attackers can trigger a buffer overflow and do all sorts of nefarious tasks on your computer.
The bug is present in all version of VLC Media Player and there is no fix. The VLC Media Player developers have been working on a fix since late June, a recent update indicates the patch is about 60 percent ready.
In the meantime, users better be careful about opening media files from untrusted sources. It's unknown if this bug is actively exploited in the wild.
