A few hours ago a security flaw in VLC which is marked with a 9.8 out of 10 on the danger scale. The "critical failure" was discovered by CERT-Bund and published by WinFuture (in German), where they describe a vulnerability that allows remote code execution, which could allow a remote malicious user to install, modify or execute code without us noticing or even accessing files on our system. It has also been spread by Mitre.
The affected versions would be those of Linux, Windows and Unix, the macOS being safe, all according to WinFuture and the rest of the sources that have disseminated this information. The good news is that no one has exploited the vulnerability, which, together with the VideoLan version, leaves us wondering if all this is real or a false alarm. But the truth is that the VideoLan version, or a third party that said they had created a 60% patch, leaves us more doubts about what is happening.
Not a VLC bug
Did you even check this?
No one can reproduce this issue here.- VideoLAN (@videolan) July 23, 2019
Have you even checked this? No one can reproduce this issue here »
At the time of this writing, VideoLan seems very outraged at what CVE and Miter have done. First they complain that they haven't been in contact with them at all for years and now they publish this ruling without telling them anything. Then they say that not a VLC glitch, but from a third-party library related to MKV files, which has been corrected for months:
About the "security issue" on #VLC : VLC is not vulnerable.
tl; dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.thread:
- VideoLAN (@videolan) July 24, 2019
"About the 'security flaw' in #VLC": VLC is not vulnerable. tl; dr: the bug is in a third-party library, called libebml, which was fixed more than 16 months ago. VLC delivers the correct version since 3.0.3, and Miter did not even check what he has published »
A very difficult bug to exploit
The company that makes one of the most popular players on the planet also has another complaint: how is it possible that a glitch that cannot be exploited has achieved a 9.8 out of 10 on the dangerousness scale? They also say that, in the worst case, it is impossible to steal data from the computer or execute code remotely, the most serious being causing a "crash" in the operating system.
VideoLan already used a patch that solves a I fail that they say it no longer exists on your player. They assure that it is corrected since VLC v3.0.3, but only a few minutes ago they marked that patch as "closed". The truth is that 3.0.3 does appear as the affected version. As if that were not enough, NIST has modified entry about this vulnerability saying that «This vulnerability has been modified since it was last analyzed by NVD. You are waiting for a new analysis that may lead to new changes in the information provided", which means that the first analyzes are not correct.
Some say that it is super dangerous to use VLC, it has even been recommended to uninstall it, others say that you have to check what is published and that the bug does not exist, others modify their original articles ... The only sure thing is that I do not uninstall VLC.
