(Credit: gst/Shutterstock)

VLC Media Player is arguably the king of playing video files on your PC, but you may not be aware that it's also very good at receiving both live and pre-recorded streams over the Internet. In recent years, when Apple did a stream of one of its events, the content was restricted to Apple devices, and VLC was one of the ways to get around that when using Windows.

SEE: Google's Project Stream: Our Odyssey through its groundbreaking game delivery tech

And with any app that can connect to the Internet, VLC (Android, iOS, Windows, Mac) has to tangle with security vulnerabilities. Over the weekend, in fact, there was some concern regarding a security flaw related to VLC and MPlayer. At first glance, it looked as though these two video player apps were vulnerable to a remote code execution vulnerability -- but a new report from HackRead indicates that we don't actually need to be worried.

The issue tagged as CVE-2018-4013 affects a streaming library called LIVE555 that's used by VLC and MPlayer. In computer speak, a library is a collection of documentation and software tools that a developer uses to make an app. With remote code execution, a person can connect to your PC from somewhere on the internet and issue commands that would usually be prohibited, like deleting files or opening various apps.

The hack in question uses a technique that that allows a hacker to access ordinarily restricted areas of system memory, an act known as a buffer overflow. This hack is triggered by sending the target device a specially crafted packet of data over the internet.

However, it turns out that there are two different ways to use LIVE555's libraries. You can use them in a streaming server, or in a streaming client. VLC and MPlayers are classified as clients, and it turns out that the hack does not affect clients, only servers. Speaking to HackRead, a representative said that VLC does have streaming server capabilities, but that the server code doesn't use LIVE555's libraries.

FOLLOW Download.com on Twitter for all the latest app news.

As a result, a computer streaming the video to you may be affected, but your copy of VLC or MPlayer will be fine when receiving and playing that content (at least, where this specific vulnerability comes into play.)

Keeping VLC and all your other apps up-to-date is an important part of securing your computing environment. But thankfully, with VLC, it's very easy -- it does an update check every time you open it. And it should take less than a minute to download and install the latest batch of programming code, because the app is quite compact despite how long it's been around.

Takeaways

  • A remote code execution vulnerability surfaced this weekend that appeared to affect VLC Media Player, but it turns out that the hack only affects server software, and VLC uses server code that comes from a source that's not affected.
  • With remote code execution, a person can connect to your PC from somewhere on the internet and issue commands that would usually be prohibited, like deleting files or opening various apps.

Also see

Tom McNamara is a Senior Editor for CNET's Download.com. He mainly covers Windows, mobile and desktop security, games, Google, streaming services, and social media. Tom was also an editor at Maximum PC and IGN, and his work has appeared on CNET, PC Gamer, MSN.com, and Salon.com. He's also unreasonably proud that he's kept the same phone for more than two years.