Confusion about a recently disclosed vulnerability in VLC Media Player
Reports started to emerge on the Internet about a critical security vulnerability in the popular multimedia player VLC Media Player.
Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End
Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.
The bug report, filed under CVE-2019-13615, rates the issue as critical and states that it affects VLC Media Player 220.127.116.11 and previous versions of the media player.
All desktop versions of VLC Media Player, available for Windows, Linux and Mac OS X, are affected by the issue according to the description. An attacker could execute code remotely on affected devices if the vulnerability is exploited successfully according to the bug report.
The description of the issue is technical, but it provides valuable information about the vulnerability nevertheless:
VideoLAN VLC media player 18.104.22.168 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
The vulnerability can only be exploited if users open specifically prepared files using VLC Media Player. A sample media file that uses the mp4 format is attached to the bug track listing which appears to confirm this.
VLC engineers have ad difficulties reproducing the issue that was filed on the official bug tracking site four weeks ago.
Project lead Jean-Baptiste Kempf posted yesterday that he could not reproduce the bug as it did not crash VLC at all. Others, e.g. Rafael Rivera, could not reproduce the issue on several VLC Media Player builds as well.
VideoLAN went to Twitter to to shame the reporting organizations MITRE and CVE.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...
Oh, btw, this is not a VLC vulnerability...
The organizations did not inform VideoLAN about the vulnerability in advanced according to VideoLAN's post on Twitter.
What VLC Media Player users can do
The problems that engineers and researchers have to replicate the issue makes it quite the puzzling affair for users of the media player. Is VLC Media Player safe to use in the meantime because the issue is not as severe as initially suggested or not a vulnerability at all?
It may take a while before things get sorted out. Users could use a different media player in the meantime or trust VideoLAN's assessment of the issue. It is always a good idea to be careful when it comes to the execution of files on systems, especially when they come from the Internet and there from sources that cannot be trusted 100%.
Now You: What is your take on the whole issue? (via Deskmodder)Advertisement