VLC media player update fixes denial of service crash bug

Don Sharpe
by Don Sharpe
Author
Loading Comments
Download PDF
Affiliate Disclosure

  • VLC media player version 3.0.11 for Windows 10 is now available. 
  • The update brings a patch for a crashing issue that affects the app due to its CVE-2020-13428 flaw. 
  • Do you yearn for an error-free experience with Windows 10 applications? Check out our dedicated Bugs page to learn more!
  • Don't forget to visit the Windows 10 to read the latest Windows news and tips.
VLC CVE-2020-13428 fix

Why would someone launch a denial of service attack just to crash your VLC media player?

A malicious actor could do it for fun, no? Or maybe they found a new way to steal your information. But, whatever their intention is, a flaw in the VLC app could let them do exactly that!

That’s why the folks at VideoLAN recommend that you update to VLC 3.0.11 for Windows 10, which patches the vulnerability.

VLC media player patches crash vulnerability

Tommy Muir alerted VideoLAN to the CVE-2020-13428 flaw that affects the VLC media player.

In a typical CVE-2020-13428 exploit, an attacker remotely delivers a specially crafted script that causes a buffer overflow affecting the VLC H26X packetizer.

They could send you the malware disguised as a genuine media file. They could also deliver it in the form of a media stream.

Once you open the specially crafted file, the malware starts executing.

After that, the bad actor may be able to crash your media player in a denial of service attack. Alternatively, they could gain your user privileges and execute arbitrary scripts.

While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user information or remotely execute code. ASLR and DEP help reduce the likelihood of code execution, but may be bypassed.

The VLC media player takes advantage of address space layout randomization (ASLR), a memory protection technique that minimizes the risk of buffer-overflow attacks. Apart from that, it also leverages data execution prevention (DEP) to guard against the effects of malware and viruses.

But VideoLAN warns that an attacker may still breach ASLR and DEP and succeed in their CVE-2020-13428 attack.

Most probably, the company received a proof of concept from Muir, rather than evidence of an ongoing exploit in the wild. So, you should be safe for now, although updating to the latest version of the VLC media player should be a priority.

Do you use the VLC media player for Windows 10, and are you experiencing any crash issues? Kindly let us know or ask any questions via the comments section below.