For those unaware, VLC media player is one of the best and most popular media players with over 3 billion downloads. It is a free, open source, and portable, cross-platform which can be used on Windows, macOS, Linux, as well as Android and iOS mobile platforms. Whatever the format is, VLC media player can play almost any kind of audio and video formats you want. Symeon Paraschoudis, a researcher from Pen Test Partners, who identified the first high-severity vulnerability as CVE-2019-12874 is MKV double free flaw and resides in ” zlib_decompress_extra() (demux/mkv/utils.cpp) ” function of VideoLAN VLC player. It can be triggered while parsing a malformed mkv file type within the Matroska demuxer. The second high-risk flaw, identified as CVE-2019-5439 and discovered by zhangyang from Hackerone is a buffer overflow vulnerability that resides in ReadFrame (demux/avi/avi.c). It allows a remote user to create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow into a targeted system. Successful execution of a malformed file in the targeted system by a malicious third party could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user. A potential attacker can exploit these vulnerabilities by tricking the user to explicitly open a specially crafted malicious MKV or AVI video file. VideoLAN, a non-profit organization that has developed VLC, has published a security advisory, “The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied.” VLC users have been strongly recommended to upgrade their media player software to VLC 3.0.7 or later versions to avoid hackers from exploiting this vulnerability on their systems.
