iPhones, VLC Player Both At Risk

John Lister's picture

Users of both Apple devices and the VLC media player should watch out for potentially serious security bugs. The former is a particular embarrassment for Apple.

It turns out the company fixed a security bug in iOS 12.3 in April, then accidentally removed the fix in iOS 12.4, which it released last month. It now plans to fix it imminently in an emergency update to be titled iOS 12.4.1.

The bug is very serious as it potentially allows a rogue app to "execute arbitrary code with system privileges." That effectively means malware could have complete control over an iOS device, something that's normally almost impossible given how locked down Apple keeps its devices.

Extra Care Needed With App Downloads

Users need to take two particular steps to minimize risk until the fix is issued.

Firstly, they should be more wary than usual about downloading and installing unfamiliar apps in case they've got past Apple's vetting process. It's a situation where there is a low risk, but with a high potential damage. In particular, users should watch out for apps that pose as legitimate, well-known apps as a way to trick people into downloading.

Secondly, users should resist the temptation to follow any online instructions for "jailbreaking" the phone, which means accessing the operating system beyond normal limits and running unapproved apps. Right now, such instructions could leave the device vulnerable to the attack. (Source: theguardian.com)

Media Player Bug Could Risk Hacking

Meanwhile users of the popular VLC media player need to apply the latest update (to version 3.08) before watching any videos. It fixes 13 bugs, all of which could be triggered by opening a "booby-trapped" file in common formats such as WMV and MP4. Some of the bugs could also be triggered through browser plugins.

The most likely effect of any attempts to exploit the bugs would simply be crashing the video player. However, makers VideoLan say they can't rule out more serious exploits such as accessing sensitive data on a computer or remotely executing code. (Source: theregister.co.uk)

What's Your Opinion?

Should Apple contact users directly to warn about such problems? Have you ever been tempted to "jailbreak" a phone? Do you worry about security risks from applications such as video players on your computer?

Rate this article: 
Average: 5 (8 votes)

Comments

ehowland's picture

Although I do not use an Apple phone (android) I typically keep one to guide clients if needed. Right now I have a fully functional iPhone 6S. It says iOS 12.4 and claims it is up to date and DOES NOT offer me 12.4.1 as an update. Any idea when this is to be released?

Also a clarification please was it VLC on any device (PC, Mac, Apple iphone, Android phone) or was VLC player only a problem on an iPhone?

ehowland's picture

About 6 minutes to download and about the same to apply to my test iPhone6S