9.8 CVSS on an App Downloaded 3B+ Times?

In July 2019, a severe vulnerability was found in VLC, an extremely popular media player, used to playback different types of videos on computers and mobile phones. VLC boasts impressive total downloads of over 3 billion, and the vulnerability has a highly critical CVE score of 9.8, making this one of the most dangerous and substantial cyber threats to date.

What This Vulnerability Means For Us

The memory-corruption flaw is known to reside in the software’s latest release, but may also be present in its earlier versions. It affects the program’s Windows, Linux, and UNIX versions. VLC is open-source software under the GPL2 license, which means that this vulnerability might affect countless other programs that utilize its media-playback engine.

It allows attackers to not only execute code remotely but also allows for:

  • Unauthorized disclosure of information
  • Unauthorized modification of files
  • Disruption of service
What This Means For CISOs

VideoLAN has confirmed that they have started working on the fix, but there is currently no estimation on when it might be completed. The general advice, at this point, is to refrain from using VLC altogether, which puts CISOs under tremendous pressure to secure their corporate networks. Ideally, CISOs should have been able to identify the threat ahead of time and resolve the issue without the need for patching at all.

What It Could Have Meant With Vicarius

Quite simply, this all could’ve been mitigated using Vicarius’ TOPIA platform -- an advanced AI-driven algorithm, which would have predicted the vulnerability, even before it had become common knowledge, giving CISOs a huge advantage by staying ahead of the curve. TOPIA is the world’s first platform that is capable of proactively analyzing 3rd-party binary files and alert on potential vulnerabilities and threats in real-time.

Had Vicarius been used in this instance, the TOPIA platform would have marked the vulnerability as highly critical due to the way the program utilized system resources. There was no need for source code or cooperation by VideoLAN, the software vendor. Thanks to Vicarius’ TOPIA, and even without patching, the target network would've still been secured, and billions of dollars in anticipated spend operations, logistics, deployment and R&D could’ve been avoided.