Popular open-source software, VLC Media Player has been diagnosed with a critical vulnerability. The vulnerability CVE-2019-13615 was identified by German security agency CERT-Bund.
The vulnerability would allow hackers to gain access to the host computer and install/run programs or even modify files without knowledge of the user. CERT-Bund has given it a score of 9.8 out of 10. The vulnerability affects Windows, Linux and Unix platforms. macOS, on the other hand, is unaffected by the vulnerability. The VideoLAN team, on the other hand, has denied the existence of the vulnerability.
In their defence, the VideoLAN team said that the issue doesn’t affect VLC directly and is linked to a 3rd party library, called libebml. The team confirmed that the bug has been fixed and there’s nothing serious about the issue. The team even blamed CERT-Bund for publishing the vulnerability without checking with them.
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
— VideoLAN (@videolan) July 24, 2019
Fortunately, there are no reports of the vulnerability being exploited in the wild. We have reached out to the VideoLAN team to get their statement and proper clarifications on the issue. Since the team has confirmed that there’s no issue with the software, we don’t recommend users to uninstall VLC. However, if you’re the paranoid one then there are media players like Movies and TV from Microsoft and KMPlayer.
Update: The VLC Team has released an official statement regarding the issue, saying:
“The issue at hand here is an issue that was fixed 14months ago, with libebml 1.3.6 and VLC 3.0.3. All binaries versions for Windows are not affected by this issue.”
“We are trying to fix all the security issues as soon as they are reported, and that can be hard, because VLC supports thousands of formats and codecs”
“Btw, we’re working a lot on VLC 4.0, which will change VLC interface for Windows, quite a bit”.