Reports started to emerge on the Internet about a critical security vulnerability in the popular multimedia player VLC Media Player.
Gizmodo’s Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.
The bug report, filed under CVE-2019-13615, rates the issue as critical and states that it affects VLC Media Player 188.8.131.52 and previous versions of the media player.
All desktop versions of VLC Media Player, available for Windows, Linux and Mac OS X, are affected by the issue according to the description. An attacker could execute code remotely on affected devices if the vulnerability is exploited successfully according to the bug report.
The description of the issue is technical, but it provides valuable information about the vulnerability nevertheless:
VideoLAN VLC media player 184.108.40.206 has a heap-based buffer over-read in mkv::demux_sys_t::FreeUnused() in modules/demux/mkv/demux.cpp when called from mkv::Open in modules/demux/mkv/mkv.cpp.
The vulnerability can only be exploited if users open specifically prepared files using VLC Media Player. A sample media file that uses the mp4 format is attached to the bug track listing which appears to confirm this.
VLC engineers have ad difficulties reproducing the issue that was filed on the official bug tracking site four weeks ago.
Project lead Jean-Baptiste Kempf posted yesterday that he could not reproduce the bug as it did not crash VLC at all. Others, e.g. Rafael Rivera, could not reproduce the issue on several VLC Media Player builds as well.
VideoLAN went to Twitter to to shame the reporting organizations MITRE and CVE.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
Oh, btw, this is not a VLC vulnerability…
The organizations did not inform VideoLAN about the vulnerability in advanced according to VideoLAN’s post on Twitter.
What VLC Media Player users can do
The problems that engineers and researchers have to replicate the issue makes it quite the puzzling affair for users of the media player. Is VLC Media Player safe to use in the meantime because the issue is not as severe as initially suggested or not a vulnerability at all?
It may take a while before things get sorted out. Users could use a different media player in the meantime or trust VideoLAN’s assessment of the issue. It is always a good idea to be careful when it comes to the execution of files on systems, especially when they come from the Internet and there from sources that cannot be trusted 100%.
Now You: What is your take on the whole issue? (via Deskmodder)
Ghacks needs you. You can find out how to support us here (https://www.ghacks.net/support/) or support the site directly by becoming a Patreon (https://www.patreon.com/ghacks)). Thank you for being a Ghacks reader. The post Confusion about a recently disclosed vulnerability in VLC Media Player appeared first on gHacks Technology News.