VideoLAN took to Twitter earlier this morning to clarify that the security issue discovered by CERT-Bund is not as severe as reported. VideoLAN says the issue was in a 3rd party library, called libebml, which was fixed more than 16 months ago. Mitre’s claim was based on a previous (and outdated) version of VLC, not 3.0.3 or more recent, which has the corrected version.
A critical security flaw was recently discovered in VLC by German security agency CERT-Bund, and VideoLAN didn’t have a complete patch until the time of discovery.
The security flaw allows for remote code execution (RCE), which gives hackers total access to your computer to install, run, and modify anything on it without your knowledge. Additionally, hackers can exploit the issue to cause denial-of-service attacks, which is a common function of certain malware. CERT-Bund has given this a base vulnerability score of 9.8 out of 10.
To make things a little more scary, all Windows, Linux, and Unix versions of VLC are affected, but not the macOS version. And without a complete patch (the one VideoLAN is working on is only 60 percent complete), the only way to keep your computer safe for the moment was to uninstall VLC.