New
#1
Does VLC have to be running to be vulnerable or just installed?
A serious Vulnerability has been found in the current version of the VLC media player. It can allow an attacker to remotely view and alter data, as well as execute code, on affected systems. VideoLan is working on a fix to be incorporated into the next version of VLC, but there's no ETA.
Source: NVD - CVE-2019-13615
Does VLC have to be running to be vulnerable or just installed?
It's a long shot if it happens. You have better chance of getting struck by lightning, honestly.
Hi there
If you are paranoid about this problem use another media player until it's fixed -- KODI plays everything VLC does and there are a whole slew of other ones. VLC is good and I'm sure a fix will be released quickly.
Personally I'd never use any Windows OS for multi-media streaming or playing but that's an individuals choice -- VLC runs perfectly on a lot of Linux NAS systems, Android devices, smart TV's and things like Amazon fire sticks. All these OS'es have better protection against these sorts of exploits anyway and I really can't say I'd be bothered if someone wanted to hack into my Smart TV - nothing for them there !!!!.
Cheers
jimbo
Most likely running, since it is caused by buffer overflow.
As for the remote exploitation, I wonder if a firewall would help? We will see, once full details are disclosed.VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
VLC engineers are saying that the issue is in a third-party library, and it was fixed over 16 months ago.
VideoLAN (@videolan) | Twitter
Tweet
— Twitter API (@user) View on Twitter
The CVSS v3.0 base score, which measures the overall severity of a vulnerability, was changed from 9.8 (critical) to 5.5 (medium).
NVD - CVE-2019-13615