Users of the VLC (Video Lan Client) media player, one of the most widely used, powerful, and versatile media players out there, are advised to apply the latest available update, which fixes a nasty bug. Carrying the identifier CVE-2020-13428, this vulnerability allows a malicious remote actor to either crash the media player or carry out arbitrary code execution with the privileged of the victimized user. When combined with additional exploitation scenarios and methods, this RCE flaw can potentially result in the leaking of user information. However, the VLC team believes the most likely event remains to crash the player.
Maybe crashing VLC doesn’t sound like an overly troublesome occurrence. Still, many professionals are using the software to stream and broadcast media on the web, so crashing it isn’t merely a hiccup for everyone out there. The flaw affects all versions from 3.0.10 and earlier, so users are advised to upgrade to version 3.0.11 or later as soon as possible. If that’s not an option for any reason, you may refrain from opening files that come from unknown or untrustworthy sources, or disable the VLC browser plugins until you have updated the software. That is because the attacker would craft a special file that triggers the buffer overflow in the software’s H26X packetizer, and so avoiding to open anything other than what’s already on your disks should be enough.
Other notable fixes that landed with version 3.0.11 include the following:
The branch of the third major version of the VLC is approaching its end, as the long-awaited VLC 4.0 has been in preparation for more than a year now. Of course, you can only test it out in the form of a nightly build, so it’s not considered stable or fit for critical deployment. This new version will bring a brand new and more modern user interface, support for virtual reality content, and a rich set of optimizations.