Stuff like sophisticated government spyware is scary and all – but don’t forget, a single .wmv file can pwn you via VLC


Traffic cones in the road

VideoLAN has issued an update to address a baker’s dozen of CVE-listed security vulnerabilities in its widely used VLC player software.

The VLC update includes patches to clear up flaws that range in impact from denial of service (read: application crashes) to remote code execution (i.e. malware installation). Users and admins can get fixes for all of the vulnerabilities by updating VLC to version 3.0.8 or later.

So far, no attacks exploiting these holes have been reported in the wild.

“While these issues in themselves are most likely to just crash the player, we can’t exclude that they could be combined to leak user information or remotely execute code,” VideoLAN offered in announcing the update. “ASLR and DEP help reduce the likeliness of code execution, but may be bypassed.”

Read more…