VLC Media Player 3.0.12 fixes multiple remote code execution flaws


VideoLan released VLC Media Player 3.0.12 for Windows, Mac, and Linux last week with numerous improvements, features, and security fixes.

This release is a significant upgrade for Mac users as it provides native support for Apple Silicon and fixes audio distortion in macOS.

In addition to bug fixes and improvements, this release also fixes numerous security vulnerabilities reported by Zhen Zhou of the NSFOCUS Security Team.

These buffer overflow or invalid dereference vulnerabilities “could trigger either a crash of VLC or an arbitrary code execution with the privileges of the target user.”

According to VideoLan’s security bulletin, a remote user can exploit this vulnerability by creating specially crafted media files and tricking a user into opening them with VLC.

While VideoLan states that this vulnerability will likely crash VLC Media Player, they warn that attackers could use it to leak information or remotely execute commands on the device.

If successful, a malicious third party could trigger either a crash of VLC or an arbitratry code execution with the privileges of the target user.

While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user informations or remotely execute code. ASLR and DEP help reduce the likelyness of code execution, but may be bypassed.

VideoLan states that they have not seen exploits abusing these vulnerabilities in the wild.

Due to the severity of this vulnerability and to benefit from VLC 3.0.12’s improvements, it is strongly advised that all users download and install version 3.0.12.

You can read the full changelog for version 3.0.12 below:

 * Add new RIST access module compliant with simple profile (VSF_TR-06-1)

Access Output:
 * Add new RIST access output module compliant with simple profile (VSF_TR-06-1)

 * Fixed adaptive's handling of resolution settings
 * Improve Bluray tracks support
 * Improve WMV seeking and DASH support
 * Fix crashes in AVI, MKV modules

Audio output:
 * Fix audio distortion on macOS during start of playback

Video Output:
 * Direct3D11: Fix some potential crashes when using video filters

 * Add native support for Apple Silicon / ARM-64
 * Visual UI adaptations for macOS Big Sur
 * Fix displaying EQ bands in the UI depending on which frequency
   presets are set for the EQ in advanced preferences
 * Fix UI issues in bookmarks window

 * Several fixes in the web interface, including privacy and security
 * Update YouTube and Vocaroo scripts
 * Fix rotation filter mouse handling
 * Update translations

You May Also Like…