Language Selection

English French German Italian Portuguese Spanish

VLC FUD Galore (Misclassification of Bug and Threat)

Filed under

Mystery solved: VLC is safe, culprit an old 'plugin' (external)

  • 'Critical' vulnerability discovered in VLC on Linux and Windows -- but VideoLAN says it is not reproducible

    Reports have emerged of a security bug in the Windows and Linux versions of VLC, making it vulnerable to remote-code execution via malicious videos.

  • Confusion about a recently disclosed vulnerability in VLC Media Player

    Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End

    Gizmodo's Sam Rutherford suggested that users uninstall VLC immediately and the tenor of other tech magazines and sites was identical for the most part. Sensationalist headlines and stories generate lots of pageviews and clicks, and that is likely the main reason why sites like to make use of those instead of focusing on headlines and articles that are not as sensationalist.

  • VLC Player hit by buffer overflow vulnerability in third-party library

    First released in February 2001 and developed under the Lesser GPL V2.1+ licence, VideoLAN Player - most commonly referred to as VLC - is one of the most popular cross-platform media playback and streaming utilities around. Sadly, that very popularity makes it a ripe target for ne'er-do-wells - making a serious flaw discovered in the latest release all the more critical.

    According to the bug's entry on the Common Vulnerabilities and Exposures (CVE) project, the flaw allows malicious or otherwise badly-written code to over-read past the end of a heap-based buffer in the software's MKV demuxing function. The US National Vulnerability Database, meanwhile, rates it as a CVSS 3.0 severity of 9.8 - giving it a top Critical mark, given that it can be used to crash the system, read private data, or even access private files.

Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

  • Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability

    A recent security alert caused a panic where people thought the VLC Media Player was affected by a critical vulnerability that had no patch. The problem is that the vulnerability was not in VLC, but rather a module that was replaced over 16 months ago.

    According to a series of tweets posted by VLC developer Jean-Baptiste Kempf, it all started when Mitre created a CVE for a reported bug in VLC Media Player without first contacting VideoLan.

VLC Developer Debunks Reports

  • VLC Developer Debunks Reports of 'Critical Security Issue' In Open Source Media Player

    Widespread reports of a "critical security issue" that supposedly impacted users of VLC media player have been debunked as "completely bogus" by developers. Earlier this week, German computer emergency response team CERT-Bund -- part of the Federal Office for Information Security (BSI) -- pushed out an advisory warning network administrators and other users of a high-impact vulnerability in VLC. It seems that this advisory can be traced back to a ticket that was opened on VLC owner VideoLAN's public bug tracker more than four weeks ago. The alleged heap-based buffer overflow flaw was disclosed by a user named "topsec(zhangwy)," who stated that a malicious .mp4 file could be leveraged by an attacker to take control of VLC media player users' devices. The issue was flagged as high-risk on the CERT-Bund site, and the vulnerability was assigned a CVE entry (CVE-2019-13615).

  • VLC developer debunks reports of ‘critical security issue’ in open source media player

    In fact, the earliest version of VLC that is potentially vulnerable to this exploit is 3.0.2, which was superseded in April 2018, leading to suspicions that the bug reporter was working on a computer running an outdated version of Ubuntu.

    ?If you report a security issue, at least update your Linux distribution,? Kempf said.

    Moreover, says Kempf, it would be very difficult to develop a reliable exploit that worked on older systems, and out of the question to develop a hack against an up-to-date version of the software.

    ?The issue was there two years ago, but it?s absolutely not possible to take control [of someone?s device now],? he said.

    ?You need to send a file. The person needs to open it on a vulnerable version of VLC and then you need to disable the security of your machine [in particular, address space layout randomization] to exploit the heap buffer overflow.

    ?That was patched more than a year ago, in April 2018.?

VLC media player affected by a major vulnerability

  • VLC media player affected by a major vulnerability in a 3rd library, libebml; updating to the latest version may help

    A few days ago, a German security agency CERT-Bund revealed it had found a Remote Code Execution (RCE) flaw in the popular open-source, VLC Media Player allowing hackers to install, modify, or run any software on a victim’s device without their authority and could also be used to disclose files on the host system.

    The vulnerability (listed as CVE-2019-13615) was first announced by WinFuture and received a vulnerability score of 9.8 making it a “critical” problem.

    According to a release by CERT-Bund, “A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files.”

''Critical' vulnerability in VLC Media Player downgraded

  • 'Critical' vulnerability in VLC Media Player downgraded after VideoLAN claims the flaw was fixed 16 months ago

    A ‘critical' security flaw in VLC Media Player has been downgraded after the organisation behind the popular app claimed that the issue had already been fixed.

    The NIST National Vulnerability Database has slashed its rating for CVE-2019-13615 from 9.8 to 5.5 and "is awaiting re-analysis which may result in further changes to the information provided" after VideoLAN, the not-for-profit open-source organisation behind VLC Media Player, complained that the advisories and associated CVEs were wrong.

    Taking to Twitter, VideoLAN blamed a reporter for running VLC on an old version of Ubuntu with out-of-date libraries, and security firm MITRE for issuing a CVE before the reporter's claims could be examined by VideoLAN.

Still publishing FUD about VLC

  • Should you uninstall VLC or not? Here's what you must really do

    VLC, the popular multimedia player, was pushed into a controversy after a report submitted by WinFuture stated that the player had security issues. WinFuture in its reports classified the app to be a High Risk (Level 4), hence recommending users to uninstall it from the PCs.

    As per the report, WinFuture claims that the vulnerability would allow hackers to alter the codes and breach the user data in the PC. The security agency described the issue to be 'a remote' that would allow hackers to use the flaw to execute arbitrary codes, create a denial of service state, disclose user information or even manipulate PC files. The vulnerability can also allow the scavengers to install, modify or run software applications without administrative authorisations.

    The report has further stated that the PCs running Windows, Linux, and UNIX operating systems are most vulnerable to the flaw. The security agency cleared that there were no reported cases of data theft through the flaw but considering the potential of the flaw, the users have to be very careful.

VLC FUD continues even after it being totally debunked

  • Is VLC media player Vulnerable to hackers? [Ed: The answer is "no", so why are such FUD pieces still being composed?]

    VLC Media Player,has been detected with a critical vulnerability that allows hackers to hijack your computers and see your files.

"VLC representatives say the reports are fake news"

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Plasma 5.16.90 (Plasma 5.17 Beta) Available for Testing

Are you using Kubuntu 19.04 Disco Dingo, our current Stable release? Or are you already running our development builds of the upcoming 19.10 Eoan Ermine? We currently have Plasma 5.16.90 (Plasma 5.17 Beta) available in our Beta PPA for Kubuntu 19.04 and 19.10. This is a Beta Plasma release, so testers should be aware that bugs and issues may exist. Read more

Raspberry Pi 4 getting hot? A closer look

I hope that will all arrive in time for me to try it out over the weekend, so I can pass along some more information about temperatures, and about what pieces fit together in which cases, if any. Finally, the Raspberry Pi Foundation says that they are working on several software and firmware changes that should help bring the temperature of the Pi 4 down. Hopefully those will be released soon - but even if they are, I don't expect that they will improve the situation by more than 5 degrees or so, and given how hot the Pi 4 runs, that is not enough to eliminate the need for the kind of hardware measures I am looking at now. Read more

Top Open Source Video Players for Linux

You can watch Hulu, Prime Video and/or Netflix on Linux. You can also download videos from YouTube and watch them later or if you are in a country where you cannot get Netflix and other streaming services, you may have to rely on torrent services like Popcorn Time in Linux. Watching movies/TV series or other video contents on computers is not an ‘ancient tradition’ yet. Usually, you go with the default video player that comes baked in with your Linux distribution (that could be anything). You won’t have an issue utilizing the default player – however, if you specifically want more open-source video player choices (or alternatives to the default one), you should keep reading. Read more

Manjaro 18.1: Goes Arch One Better

Manjaro Linux's in-house system tools, easy installation application and better range of software packages make it a better Arch-based distro than Arch Linux itself. Manjaro offers much more than a pure Arch Linux environment. Regardless of which desktop style you select, the welcome screen introduces Manjaro tools and get-acquainted details such as documentation, support tips, and links to the project site. You can get a full experience in using the live session ISOs without making any changes to the computer's hard drive. That is another advantage to running Manjaro Linux over a true Arch distro. Arch distros usually do not provide live session environments. Most that do lack any automatic installation launcher from within the live session. Read more