update to the VLC media player has been released that fixes a sudden player crash and remote code execution.
The VLC Media Player 3.0.12 update was released not so long ago. The important thing about the update is that it will improve the user experience for Mac owners. But this has already been talked about . However, there is one more important point already in relation to information security. The update fixes critical security issues.
What is the problem with the player
The vulnerabilities were discovered by Zhen Zhou from the NSFOCUS group. They allowed an attacker to launch remote code execution on other computers.
It's about a buffer overflow . The cause of the problem is a buffer overflow, a consequence of writing data outside the allocated memory area. This problem is caused by erroneous handling of input data and memory. As a result, the data located before or after the buffer can be damaged.
Main problems
Earlier, experts discovered several security problems at once.
First. An attacker can download and execute arbitrary code on behalf of the program and with the rights of the account under which it is launched.
Second. It causes the media player to crash, resulting in a denial of service.
Both bugs have been fixed according to the player's security bulletin.
Third.Also in the bulletin there is a mention of incorrect dereference of pointers - invalidpointerdereference. With such a bug, the program sends a request along an erroneous path to a specific memory location. An incorrect request results in a failure. In most cases, as a result, the program crashes.
To exploit vulnerabilities, an attacker needs to run a special file or connect to a specially formed stream. After that, two scenarios developed: the VLC player suddenly turns off or the scammers remotely run arbitrary code.
The developers say they have not found any attempts to exploit the vulnerabilities found. But they recommend installing VLC Media Player version 3.0.12 - for Windows, macOS or Linux .
By the way, problems are often found in the VLC player. But most often it is possible to eliminate them before cybercriminals start using them.
A little about VLC
VLC is free and one of the most popular open source video players. The media player supports a wide variety of formats. VLC plays a wide variety of multimedia files and streams over a wide variety of protocols.
The player is being developed by the VideoLan project team. These are mostly volunteers who “ believe in the power of open source”.
The VideoLAN project started as a student initiative in 1996 in France. Now developers from 40 countries are taking part in the project.