Confusion about a recently disclosed vulnerability in VLC Media Player
Reports started to emerge on the Internet about a critical security vulnerability in the popular multimedia player VLC Media Player.
Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End
Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.
The bug report, filed under CVE-2019-13615, rates the issue as critical and states that it affects VLC Media Player 3.0.7.1 and previous versions of the media player.
All desktop versions of VLC Media Player, available for Windows, Linux and Mac OS X, are affected by the issue according to the description. An attacker could execute code remotely on affected devices if the vulnerability is exploited successfully according to the bug report.
The description of the issue is technical, but it provides valuable information about the vulnerability nevertheless:
VideoLAN VLC media player 3.0.7.1 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
The vulnerability can only be exploited if users open specifically prepared files using VLC Media Player. A sample media file that uses the mp4 format is attached to the bug track listing which appears to confirm this.
VLC engineers have ad difficulties reproducing the issue that was filed on the official bug tracking site four weeks ago.
Project lead Jean-Baptiste Kempf posted yesterday that he could not reproduce the bug as it did not crash VLC at all. Others, e.g. Rafael Rivera, could not reproduce the issue on several VLC Media Player builds as well.
VideoLAN went to Twitter to to shame the reporting organizations MITRE and CVE.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...
Oh, btw, this is not a VLC vulnerability...
The organizations did not inform VideoLAN about the vulnerability in advanced according to VideoLAN's post on Twitter.
What VLC Media Player users can do
The problems that engineers and researchers have to replicate the issue makes it quite the puzzling affair for users of the media player. Is VLC Media Player safe to use in the meantime because the issue is not as severe as initially suggested or not a vulnerability at all?
It may take a while before things get sorted out. Users could use a different media player in the meantime or trust VideoLAN's assessment of the issue. It is always a good idea to be careful when it comes to the execution of files on systems, especially when they come from the Internet and there from sources that cannot be trusted 100%.
Now You: What is your take on the whole issue? (via Deskmodder)
which better believe to …?
VLC starts slow on my -new- desktop too and uses quite memory.
Thanks to Martin and out of curiosity I installed MPC-HC and boy it is light on my sytem and easy to configure.
I have been a long time user of MPC – BE and it is a excellent player. But I read about people on the Russian forum being threatened and stories about installing malware keeps appearing. Probably fake, but I prefer MPC-HC now, in combination with VLC.
My VLC player opens fast as MPC-HC.
Today the person who submitted the bug report apologized for it.
VLC desktop program takes a long time to start and has a ‘ugly’ GUI compared to other media players.
But it can play 360 degrees videos, which most other media players can not, and it can play most formats and is free. I trust their software to be more secure (updated) than most other free media players.
As for sensationalist headlines. I have learned along time ago not to trust the mainstream news. The more I personaly know about a subject, the more I notice how inaccurate the mainstream news often is.
They are commercial companies with political and social views that bias their reporting.
Sometimes I get more accurate info from comments than from the article itself on some websites.
Most ‘alternative’ news sources are also not to be trusted. They are often extremist or push unfounded consipracy theories.
The best you can do is gather info from diverse sources, use your head and be honest.
Something must be wrong with your computer because VLC opens in a millisecond on all my devices. Also the GUI is perfect. No touch screen nonsense.
On the Internet, alternative news (fake news) is constantly and irresponsibly diffused.
It’s great that “gHacks Tech News” has put together an article that reveals the truth about this topic.
Gizmodo’s Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.
> Exactly, That is the essence of this alternative news.
Internet article has many problems in reliability. Check out on a trusted site (gHacks Tech News).
Those gawker sites (gizmodo is one) seem to be declining rapidly; very uneven writing and horrible comments sections.
@ULBoom,
Thank you for your reply (information).
>> Gawker Media – Wikipedia |
https://en.wikipedia.org/wiki/Gawker_Media
>> Gizmodo – Wikipedia |
https://en.wikipedia.org/wiki/Gizmodo
As I do not trust Information on the Internet because of experience, it is rare to browse anything other than “gHacks Tech News”. So I was ignorant about the gawker site and gizmodo.
This scandal information (article) is an article of the popular Japanese portal site “GIGAZINE” is the firing point in Japan.
https://gigazine.net/news/20190724-vlc-media-player-heap-buffer-overflow/
This article was posted on the portal site “freesoft100” which introduces freesoft, and I learned that the article is spreading.
freesoft100 | https://freesoft-100.com/
https://freesoft-100.com/review/user/9147.html
https://freesoft-100.com/review/vlc-media-player.php
As it is an influential “GIGAZINE” article in Japan, I am concerned about its spreading power.
About the measures:
I sent a request to correct this article to GIGAZINE. (No answer, the article has not been updated)
Also, I posted the facts to “freesoft 100”.
https://freesoft-100.com/review/vlc-media-player.php
> I sent a request to correct this article to GIGAZINE. (No answer, the article has not been updated)
>> The article was corrected at 12:13 (JST) on July 25, 2019 (In UTC, it is 03:13 on July 25).
GIGAZINE | https://gigazine.net/news/20190725-video-lan-forsay-vulnerability/
The content is based on facts,
The corrected article supports the claims of VideoLAN and “gHacks Tech News”.
> Also, I posted the facts to “freesoft 100â€.
>> Here also, The contributor has added correction.
freesoft 100 | https://freesoft-100.com/review/user/9147.html
ã€Postscript】In UTC, it is 04:31 on July 25
Great work owl!
Thanks for the comment, Martin.
When I reported this scandal article (E-mail and Post : https://www.ghacks.net/2019/06/06/vlc-media-player-3-0-7-released-security-updates-and-improvements/ ), It was a great help to stop “proliferation of unfair reputation” that you quickly organized the problem and made it an article.
Thanks and respect to Martin and “gHacks Tech News”.
VLC is gratis and libre software with zero ads, tracking or other anti-user features, even having declined offers of tens of millions of euros to include those. No “but we need to grow”, no “but nowadays software can only be funded by ads”, no “but tracking is necessary to develop the software”, no “but tracking what you listen to is an acceptable price for the wonderful service we offer in exchange”, none of the usual lies. Made primarily in Europe, it does deliberately ignore the US reactionary software patents law. It does also allow to play DVDs while Windows 10 stopped the support.
Having to compete with a widely known and ethical software like VLC must make really unhappy the greedy assholes trying to sneak ads, tracking and other garbage in their own competing products. That includes the default media players in major operating systems.
I don’t know why exactly this US government funded Mitre cybersecurity corporation wants to sabotage VLC by disclosing fake vulnerabilities and never disclosing vulnerabilities to the developer team before making them public as should be the standard procedure. But they’re obviously not primarily concerned about security here.
A security best practice is to use your host firewall; to deny all incoming and outgoing connections by default. In windows, this requires you to set that policy and to delete all default outgoing and all default incoming rules; which are a security violating, privacy stealing mess. Then, only set the rules that align with your wishes.
For instance, with any OS to cruise the inet, you only need to allow three ports open to two apps. For instance on windows, only allow firefox or chromium to 443 & 80 and dnscrypt-proxy to 443. If you don’t use dnscrypt-proxy, allow svchost+dnscache to port 53. And if you were really smart, you’d allow only 443 out to your browser and never 80. These days, any site not offering https doesn’t deserve to be on the net.
That simple practice will protect against issues like this one, which occur very frequently to many apps, not just VLC. It will also protect you against allot of malware that needs to connect to a cc2 host to drop additional files and instructions. As a side bonus, a well configured host firewall greatly enhances user privacy.
PS: Long live VLC, especially the portable version: a powerful, flexible, rational player that delivers great enjoyment to its users.
My take from the original report and the VLC folks’ updates:
Looks like there most likely is an actual vulnerability but not as severe for VLC as the initial reports claimed. It’d be in libebml, a Matroska project library used by the MKV container handling, and was fixed there in version 1.3.6 released in April 2018.
However, it’d be an unpatched vulnerability in Ubuntu 18.04 LTS as of right now because that fixed version missed the Ubuntu cutoff and the fix hasn’t been backported to updates.
It would seem to affect potentially any applications using libebml older than 1.3.6. That would include any media player (including VLC) built using the default libebml on Ubuntu 18.04 and possible derivatives – as well as official VLC 3.0.2 packages and older for Windows, AND any other media players using libebml 1.3.5 or older for MKV support.
Snap-based version of VLC on Ubuntu 18.04 seems to have a fixed libebml included in the snap package.
Well, this is not the first time that a supposed vulnerability has been discovered in VLC. Slashdot made exaggerated claims of one not so long ago which turned out to be related to Live555 media libraries which only affects streaming server applications, not the players which use it: https://threatpost.com/critical-bug-impacts-live555-media-streaming-libraries/138477/
Consequently I’m inclined to take this latest revelation with a large pinch of salt.
About one of the only sites who actually do actual digging before posting an article with a clickbait title on full force. Cheers.
First time I hear about this o.O I don’t really care, honestly. If you have a malicious file in your system, trying to exploit a “vulnerability”, then you’ve got bigger problems. Such a file should never land on your machine in the first place.
I’m of the same opinion in case of nonsense like Spectre/Meltdown, aka b/s FUD you should not worry about.
If this vulnerability had been as initially reported, then the malicious file wouldn’t need to be on your machine, it would only require social engineering to convince a user to click on a link. Since this kind of social engineering is hugely successful, this would have been a major issue.
Spectre/Meltdown – is largely a non-issue for individual users. It is a significant headache for shared infrastructure service/cloud providers as maintaining issolation between different users’ processes on the same infrastructure is rather vital to any security. So it’s not FUD but it probably wouldn’t need to concern most users, except in how much more expensive cloud services are compared to not having to worry about it (as losing the performance optimisations of speculative execution etc means the providers need 5-20% greater capacity to service the same demand).
lol. tell that to all server guys on the clockwork to deal with side channel attack clusterf.
My take: scare mongering.
From the VLC issue page:
“End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago…
Note: if you report a security issue, at least update your linux distribution.”
Conclusion: Fake / irresponsible news.
I believe most VLC users belong to the rather large “Don’t know – Don’t Care” user group. A gloriously smug, infamous group that doesn’t read any tech related news and religiously install VLC, Firefox, CCleaner, Avast, WinAMP and Adobe Reader because “Those are the best and I have done this for over 20 years without any problems so don’t you tell me what to do!”. I belong to the even more smug group that let’s the other group sink with their ship while I smile and wave and watch them drown without lifting a finger to help. In 2019 one does not need VLC to play video files, it’s an ugly old bloated behemoth. A wrinkly hippo that needs to shape up, slim down and for Gods sake put some make-up on! As an avid VLC hater I luuuuuuuuuuuuuuuuv news like these, trolling like a sonofabitch now!!..gonna make some popcorn..
@bobo – You must spend an awful amount of time reading all the stuff relating to your use of phones, cookers, fridges, cars, etc and what to do in case of flood, fire, airplane forced landings, illnesses, etc etc – or are you one of the smug gits who knows all there is to know, or perhaps just a smug git when it comes to apparent computer security – or are you just as you say a VLC hater and thus have nothing positive to say.
Wow, Bobo, where do you live? In my city no one has heard of VLC, or if they did they haven’t tried it – everyone I meet just installs a cracked version of BS Player because “it downloads subtitles automatically” and because some local tech “gurus” used it 20 years ago and no one ever looked at anything else ever since. As for the rest, they do use CCleaner but their browser of choice is Chrome. And “Windows Defender” is all the antivirus they need (someone told me why but I can’t remember any more). WinAmp is not necessary because of course you’re supposed to listen to music on YouTube (argh).
Me? SMPlayer on Linux but I have VLC too, and use VLC for videos on my phone.
I don’t use any of that stuff. Is it me?
” A gloriously smug, infamous group that doesn’t read any tech related news and religiously install VLC, Firefox, CCleaner, Avast, WinAMP and Adobe Reader because “Those are the best and I have done this for over 20 years without any problems so don’t you tell me what to do!â€
“Don’t tell me what to do” means facing someone or an article stating what to do, in which case members of such groups do appear to be for the least narrow-minded : “Here are the facts, here is what you can do to improve your privacy and security” slapped by a “Move off’ is indeed a stunning attitude.
But I’m afraid most of us just don’t happen to be in that situation : it’s not that they are informed and refuse, it’s that they are totally unaware of the reality computing and of the Web, its places and its applications.
Some say that “Ignorance is blessing”. Blessed are the wounded as well, perhaps, even if responsibility is what distinguishes a wounded animal from a wounded soldier when the latter’s sufferance is due to his own irresponsibility.
Quoting the above mentioned bug report, filed under CVE-2019-13615
“CVE-2019-13615 Detail
Modified
—
This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.”
@Martin, you write “Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.” and I couldn’t agree more. This is not Ghacks’ policy fortunately and this is why your site is a reference : placid and objective.
Not sure about my take on this issue other than a general consideration on the possible gap between sensationalism and reality given I don’t run the VLC Media Player.