VideoLAN, the organization behind the popular VLC Media Player, has disclosed multiple critical vulnerabilities that could allow attackers to execute arbitrary code remotely. These vulnerabilities affect both the desktop and iOS versions of the software.
The security advisories, identified as SB-VLC3021 and SB-VLC-iOS359, outline several flaws malicious actors could exploit.
The vulnerability, which involves a potential integer overflow, can be triggered by a maliciously crafted MMS stream, leading to a heap-based overflow.
If successfully exploited, this vulnerability could allow a malicious third party to cause VLC Media Player to crash or execute arbitrary code with the privileges of the target user.
While the primary consequence is likely to be a crash, the vulnerability could be combined with other exploits to leak user information or execute code remotely.
Although Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) help mitigate the risk of code execution, these protections can potentially be bypassed.
Exploiting this vulnerability requires the user to open a maliciously crafted MMS stream explicitly. Users are strongly advised to avoid opening MMS streams from untrusted sources or to disable the VLC browser plugins until a patch is applied.
The VLC development team has addressed this issue in VLC Media Player version 3.0.21. Users are urged to update to this latest version to protect against the vulnerability.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
A popular application’s WiFi file-sharing feature has identified a potential path traversal vulnerability. This vulnerability could allow malicious parties on the local network to upload arbitrary data to storage locations invisible to the user within the application context.
This vulnerability could lead to a denial-of-service (DoS) condition on the affected device due to exceeded storage space or arbitrary data.
It is important to note that no read access by third parties and no write access outside the application container are possible. To date, no exploits have been reported for this vulnerability.
Exploiting this issue requires the user to explicitly start WiFi File Sharing on a local network with potential malicious actors.
VLC-iOS version 3.5.9 addresses the issue. Users are strongly encouraged to update to this version to protect their devices from this vulnerability.
To ensure your VLC Media Player is secure, follow these steps to update:
To date, no exploits have been observed performing code execution through this vulnerability. However, the potential risk remains significant, and users are advised to take precautionary measures.
Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The pace of technological change in today’s business environment is unprecedented. Organizations are racing to…
Cyber risk appetite represents the amount and type of cyber risk an organization is willing…
A new campaign by Russian threat actors. These actors are exploiting legitimate Microsoft OAuth 2.0…
Security researchers at Fortinet's FortiGuard Labs have uncovered a sophisticated phishing campaign that uses weaponized…
British retail giant Marks & Spencer (M&S) has confirmed it is dealing with a significant…
In the face of relentless cyber threats and an ever-expanding digital attack surface, security leaders…