mkv from an untrusted source like Pirate Bay, you risk triggering the VLC flaw. My advice to you: stick with original content and stream whenever you can. However, VLC is quite appreciated by people who pirate content instead of paying for it. There’s a perfectly good reason why so many choose VLC over BSPLayer or other video decoders: it’s light, runs on almost every platform, and can play any video extension. VLC is, without a doubt, one of the most ‘abused’ open-source players. Don’t download and open videos from untrusted sources Now, if you really want to buck up on your cybersecurity, you could also try these tips: 1. In the meantime, VLC advises its customers to use as many security layers as possible and to uninstall the product until the patch is released. Per the company’s statement, the patch is about 60 percent complete, but no development timeline has been posted so far. Unfortunately, VLC is still far behind on delivering a fix for the CVE-2019-13615 issue. Upon decoding, the file would have injected code in the system, leading to denial-of-access or complete data loss. To be able to exploit this defect, the malicious agent would to craft a. VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp. MITRE’s description of the VLC flaw reads: With VLC’s ad-libs, the bug’s been downgraded from 9.8 to 5.5, which translates to “medium” on the vulnerability scale. Interestingly enough, the library found to be responsible for the flaw received a fix approximately a year ago. VLC later invalidated CERT-Bund’s appraisal, saying that the issue isn’t that critical. CERT-Bund analysis revealed that the backdoor agent would have allowed anyone to write/read memory, inject code, deactivate AV software, and steal data without the user being aware of the intrusion. The library in question, called Libebml was found to contain a vulnerability which potentially allowed malicious actors to run code in the background. However, upon closer inspection, VLC’s debug team traced the flaw to a defective library, managed by a third-party. This translates to a critical, zero-day flaw. Initially flagged by CERT-Bund on July the 19 th, the VLC flaw, known by its technical name of CVE-2019-13615, received a 9.8 vulnerability score. VLC set on to address the issue but disclosed that the patch is about 60% complete. This, in turn, would grant cybercriminals rights to download, install, write, and rename software without authorization. A company release note stated that the flaw, coined CVE-2019-13615, allowed malicious remote code execution on the machine. VideoLan Player, one of the most popular and ‘modable’ open-source video players, may be prone to backdoor attacks.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |