The well-known open-source media player VLC has recently released a security bulletin and released a new version. This security bulletin contains a high-risk level security vulnerability.
This security vulnerability can trigger the remote execution of arbitrary code. Of course, the vulnerability has been fixed before disclosure, so users need to upgrade to a new version. The security vulnerability is CVE-2020-13428.
The vulnerability mainly affects the hardware accelerated codec that comes with the VLC player, and the codec with the vulnerability is only used on macOS and iOS.
This means that versions such as Windows, Linux, and Android are not affected. Of course, other vulnerabilities are fixed this time so all users need to perform the upgrade.
In terms of vulnerability exploitation, the attacker only needs to create a targeted media file and induce the user to play this media file, as long as the user uses VLC to play.
Of course, we should remind everyone here that files of unknown daily origin should not be opened easily, even media files such as videos or music.