Older versions of VLC media player have a critical security vulnerability (Updated)
VLC media player has a critical security vulnerability
Updated on 25 July 2019: VideoLAN has clarified on Twitter that the issue is not as serious as reported. The problem lies with a third-party library called libebml that was actually fixed over 16 months ago. The claim was based on a previous, and now outdated, version of VLC, instead of version 3.0.3 or newer, which has already been patched.
The vulnerability score has been downgraded from a 9.8 to 5.5 on the National Vulnerability Database. Put simply, you don't need to uninstall VLC to protect yourself anymore. However, you do need to ensure you have the latest version installed.
Originally published on 24 July 2019:
VLC is one of the most popular cross-platform media players around, thanks in large part to it being completely free and open-source. However, German security agency CERT-Bund has discovered a serious security flaw in VLC, which means you might want to uninstall it until the vulnerability is fixed.
The security firm gave the flaw a base vulnerability score of 9.8 out of 10, which classifies it as "critical". It essentially allows for remote code execution (RCE), where malicious actors can install, modify, or run software without any authorization. In addition, it can even be used to disclose files on the host system.
Put simply, the flaw could potentially give hackers a way to hijack your PC and view your files.
Most versions of VLC are affected, including the Windows, Linux, and Unix versions. Only the macOS version is safe, which means there are potentially a lot of exposed systems out there.
VideoLAN, who develops VLC, is already working on a patch. Unfortunately, until that's finished, the only way to secure your PC will be to uninstall VLC.