Language Selection

English French German Italian Portuguese Spanish

VLC FUD Galore (Misclassification of Bug and Threat)

Filed under

Mystery solved: VLC is safe, culprit an old 'plugin' (external)

  • 'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible

    Reports have emerged of a security bug in the Windows and Linux versions of VLC, making it vulnerable to remote-code execution via malicious videos.

  • Confusion about a recently disclosed vulnerability in VLC Media Player

    Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End

    Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.

  • VLC Player hit by buffer overflow vulnerability in third-party library

    First released in February 2001 and developed under the Lesser GPL V2.1+ licence, VideoLAN Player - most commonly referred to as VLC - is one of the most popular cross-platform media playback and streaming utilities around. Sadly, that very popularity makes it a ripe target for ne'er-do-wells - making a serious flaw discovered in the latest release all the more critical.

    According to the bug's entry on the Common Vulnerabilities and Exposures (CVE) project, the flaw allows malicious or otherwise badly-written code to over-read past the end of a heap-based buffer in the software's MKV demuxing function. The US National Vulnerability Database, meanwhile, rates it as a CVSS 3.0 severity of 9.8 - giving it a top Critical mark, given that it can be used to crash the system, read private data, or even access private files.

Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

  • Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

    A recent security alert caused a panic where people thought the VLC Media Player was affected by a critical vulnerability that had no patch. The problem is that the vulnerability was not in VLC, but rather a module that was replaced over 16 months ago.

    According to a series of tweets posted by VLC developer Jean-Baptiste Kempf, it all started when Mitre created a CVE for a reported bug in VLC Media Player without first contacting VideoLan.

VLC Developer Debunks Reports

  • VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player

    Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615).

  • VLC developer debunks reports of ‘critical security issue’ in open source media player

    In fact, the earliest version of VLC that is potentially vulnerable to this exploit is 3.0.2, which was superseded in April 2018, leading to suspicions that the bug reporter was working on a computer running an outdated version of Ubuntu.

    ?If you report a security issue, at least update your Linux distribution,? Kempf said.

    Moreover, says Kempf, it would be very difficult to develop a reliable exploit that worked on older systems, and out of the question to develop a hack against an up-to-date version of the software.

    ?The issue was there two years ago, but it?s absolutely not possible to take control [of someone?s device now],? he said.

    ?You need to send a file. The person needs to open it on a vulnerable version of VLC and then you need to disable the security of your machine [in particular, address space layout randomization] to exploit the heap buffer overflow.

    ?That was patched more than a year ago, in April 2018.?

VLC media player affected by a major vulnerability

  • VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

    A few days ago, a German security agency CERT-Bund revealed it had found a Remote Code Execution (RCE) flaw in the popular open-source, VLC Media Player allowing hackers to install, modify, or run any software on a victim’s device without their authority and could also be used to disclose files on the host system.

    The vulnerability (listed as CVE-2019-13615) was first announced by WinFuture and received a vulnerability score of 9.8 making it a “critical” problem.

    According to a release by CERT-Bund, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

''Critical' vulnerability in VLC Media Player downgraded

  • 'Critical' vulnerability in VLC Media Player downgraded after VideoLAN claims the flaw was fixed 16 months ago

    A ‘critical' security flaw in VLC Media Player has been downgraded after the organisation behind the popular app claimed that the issue had already been fixed.

    The NIST National Vulnerability Database has slashed its rating for CVE-2019-13615 from 9.8 to 5.5 and "is awaiting re-analysis which may result in further changes to the information provided" after VideoLAN, the not-for-profit open-source organisation behind VLC Media Player, complained that the advisories and associated CVEs were wrong.

    Taking to Twitter, VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date libraries, and security firm MITRE for issuing a CVE before the reporter's claims could be examined by VideoLAN.

Still publishing FUD about VLC

  • Should you uninstall VLC or not? Here's what you must really do

    VLC, the popular multimedia player, was pushed into a controversy after a report submitted by WinFuture stated that the player had security issues. WinFuture in its reports classified the app to be a High Risk (Level 4), hence recommending users to uninstall it from the PCs.

    As per the report, WinFuture claims that the vulnerability would allow hackers to alter the codes and breach the user data in the PC. The security agency described the issue to be 'a remote' that would allow hackers to use the flaw to execute arbitrary codes, create a denial of service state, disclose user information or even manipulate PC files. The vulnerability can also allow the scavengers to install, modify or run software applications without administrative authorisations.

    The report has further stated that the PCs running Windows, Linux, and UNIX operating systems are most vulnerable to the flaw. The security agency cleared that there were no reported cases of data theft through the flaw but considering the potential of the flaw, the users have to be very careful.

VLC FUD continues even after it being totally debunked

  • Is VLC media player Vulnerable to hackers? [Ed: The answer is "no", so why are such FUD pieces still being composed?]

    VLC Media Player,has been detected with a critical vulnerability that allows hackers to hijack your computers and see your files.

"VLC representatives say the reports are fake news"

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Now and Then: The Fate of 7 Promising Free Linux Web Browsers

This is illustrated by the image to the left which depicts the web browser share for visits to for the period covering June – September 2020. But Chrome and Firefox are not for everyone. Chrome is proprietary software so it’s not very appealing to open source enthusiasts. There’s the open source Chromium, of course, but that’s not very popular. And Firefox has been steadily losing market share. Read more

Linux Jargon Buster: What is a Rolling Release Distribution?

After understanding what is Linux, what is a Linux distribution, when you start using Linux, you might come across the term ‘rolling release’ in Linux forum discussions. In this Linux jargon buster, you’ll learn about rolling release model of Linux distributions. In software development, rolling release is a model where updates to a software are continuously rolled out rather than in batches of versions. This way the software always remains up-to-date. A rolling release distribution follows the same model and it provides the latest Linux kernel and the software version as they are released. Read more

What are the Best Linux Distros for 2020

In this tutorial, we shall focus on the 10 + 1 best Linux distributions for the year 2020 for new and experienced users. As per distrowatch below are the top 10 Linux distributions based on website page hit ranking... In this article, we have covered the best 11 Linux distribution for the year 2020. Please do not forget to tell us which ones you like or find any other better distro. Read more

Lightweight Linux distribution 4MLinux 34.0 Released with WebP Support

The super lightweight Linux distribution 4MLinux released the latest stable version 34.0 with new features and latest app updates. Read more