Security company reports vulnerability in VLC, but it’s already patched

VLC, the exceptional open-source media player that pretty much runs on everything, has been one of the first programs I install on a new computer or smartphone for years. It’s simple, powerful and free—I couldn’t ask for anything more. Well, except maybe not having it play host to a critical (See update below) security vulnerability

From Gizmodo:

Discovered by German security agency CERT-Bund (via WinFuture), a new flaw in VLC (listed as CVE-2019-13615) that has been given a base vulnerability score of 9.8, which classifies it as “critical.”

The vulnerability allows for RCE (remote code execution) which potentially allows bad actors attackers to install, modify, or run software without authorization, and could also be used to disclose files on the host system. Translation: VLC’s security hole could allow hackers to hijack your computer and see your files.

UPDATE: VideoLAN, makers of VLC, tweeted to say that VLC is not vulnerable.

“About the “security issue” on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

Gizmodo reports that the National Vulnerability Database’s entry for the bug was downgraded, specifying that the “Victim must voluntarily interact with attack mechanism.”

This post has been corrected to reflect VideoLAN’s debunking of the security researchers’ claims — Rob Beschizza