Situation:
There are currently a couple of VLC vulnerabilities that are doing the rounds on security websites, technical people will know what they are so we will write this in what is hopefully a simple article.
Example Article: VLC Media Player Vulnerabilities Allow Remote Code Execution (cybersecuritynews.com)
First of all, what is VLC?
VLC stands for 'Video-LAN Client' and is a popular multimedia player found on computers worldwide, it works on Windows, Linux, Android devices and Mac computers so the issue could be widespread. The good news for those of you who don't use this? You can stop reading now! You're all good!
If you do this on Linux as well you also have good news, these two vulnerabilities just seem to apply to Windows and iOS versions.
If you do use it on Windows and iOS, there's not bad news - just some advice on how to avoid this pitfall. I will start by linking the advisories directly from the company, then explain how to fix and how to keep yourself safe until you get time to apply the fix.
Security Bulletin 1: VideoLAN Security Bulletin VLC 3.0.21 - VideoLAN
Security Bulletin 2: VideoLAN Security Bulletin VLC-iOS 3.5.9 - VideoLAN
Fix:
If you don't want to know any more than how to fix it, it is pretty simple - you just update it by visiting VLC's download page:
You can then choose the version you are updating (if it doesn't seem to auto detect) by clicking one of the icons below the 'Download' button as shown.
When you select the versions you will get the versions as below, it is recommended you never install a version at a lower number than this to avoid this issue in future.
Windows Version: 3.0.21
iOS version: 3.5.9
Once you have updated, congratulations! you are no longer vulnerable to these threats.
Mitigation:
If you are unable to update it (due to technical reasons or other issues) then you should be aware of how to avoid the vulnerabilities. The original article mentions disabling VLC Browser plugins and avoiding untrusted MMS streams for one bulletin, with the second bulletin advising to avoid using Wi-Fi sharing on networks that might have untrusted people, but what does that mean?
Disable browser plugins:
Applies to: Windows
These are usually add-ons for your browser that make content run smoother when browsing the web, this is a simple explanation but all you really need to know is that they exist in the browser (Edge, Chrome, Opera, Safari, Chromium for example).
The one shown below is a common one you may have installed, it enables you to play videos in VLC rather than try to watch them on a website.
Disabling them for each browser can be different for each one, however generally you are going to want to look in the menu for each browser you use (yes, sadly doing it for just one browser won't work if you use multiple browsers)
(Also, apologies for the screenshot being a bit clipped)
But generally you will be looking for a menu option as 'Extensions' or 'Plugins' or similar
(please refer to your browser help page if you are unable to locate it, if you are unable to find this then going to google and typing in the search 'How do I disable add-ons for <insert browser here> ' and this should open up a help page for your chosen browser - just be sure it's a legitimate page for your browser)
You can then disable and/or uninstall the add-on which means you are then able to avoid this threat until you can update to the correct version.
Avoid untrusted MMS streams
Applies to: Windows
An MMS stream stands for MultiMedia Stream, this is a catch all term for things that play video, sound or spoken word on the web and can be opened in VLC.
To handle this, it is recommended that you simply don't stream any music or videos from sites that are 'untrusted' which can include sites playing:
Music
Videos
Audiobooks
Podcasts
Citizen news
Sound effects/Ambient noises
Some can be trusted in the interim, official large providers may be trusted for your usual content however it may be advisable to avoid using VLC until you can upgrade if at all possible.
Avoid using Wi-Fi sharing on local networks with untrusted users
Applies to: iOS
If you are using this at home and trust the entire network, then you should be fine.
If you use your iOS device at Coffee shops, universities, airports or any other network where you don't know who else is on there - you should ensure you are not sharing files over Wi-Fi.
Reversing the steps in the linked article from Apple, will help you to secure your device while out and about.
Remember: If you have it enabled and AutoConnect to a public network without realising, you may still potentially vulnerable.
Summary:
This is a standard thing that happens a lot with software programs, you don't always need to panic when these things come out - just be safe and we will try to make things simple for you in future.
Comments