Several vulnerabilities have been found in VLC’s media player, one of which enables remote code execution on victim’s PCs. According to Antonio Morales of Semmle Security, CVE-2019-14438 lets attackers take over a PC via a specially-crafted .mkv file.
MKV is a common video format that isn’t supported by all media players. As a result, it’s likely users would turn to VLC to play the file, with a simple double click enough to trigger an attacker’s code.
“A hypothetical scenario: an attacker uploads the video file to a tracker Torrent using a filename of a trending TV series,” Morales explained to ThreatPost. “After this, a lot of users download the file via Torrent. The victims only need to open the video file to trigger the vulnerability. This scenario can be applied to all the vulnerabilities.”
The use of TV torrents to share malware is a common tactic. A Kaspersky report from earlier in the year indicated that 129,000 of its users were attacked by Game of Thrones episodes in 2018. However, while most of those efforts were rudimentary, the VLC vulnerability could prove much more easily exploitable. Simply opening a file is enough for attackers to perform any action a user could, without their consent.
Morales pointed to several other dangerous vulnerabilities, including CVE-2019-14970, a buffer overflow bug in the MKV demuxer. Again, this could be triggered by opening a file. In total, he found 11 bugs in VLC, with the two mentioned high risked, and a further five medium severity.
Following the releases, two more pending security issues were discovered by Pulse Security. CVE-2019-13602 reportedly lets attackers perform a heap-based buffer overflow via an .mp4 file. CVE-2019-13962 pertains to a heap-based buffer over-read.
These issues are another reminder to keep your software up to date and never trust files from unknown third parties.