VLC: Critical vulnerability discovered, but do not uninstall it. Here’s what to do
According to some sources, the media player would have a critical vulnerability that would allow remote execution of the code in the worst-case scenario. The company denies the accusations and defines the news ” a hoax “.
In the last few hours, quite worrying news has been spread for all VLC users, the famous multimedia player available on different platforms, both desktop and mobile. In the software, there would be an exploitable vulnerability with ad-hoc videos through which it would be possible to cause a crash in the player or, in the most serious case, to allow remote code execution. It would be a very serious security vulnerability within a popular software.
The story does not seem to be so linear, given that several comments have arrived from the disclosure of the news (by CERT Bund). Jean-Baptiste Kempf, president of VideoLAN (the developer behind the media player) and responsible for the development of VLC, released a series of messages on the topic: ” The vulnerability does not cause a crash on a normal release of VLC 3.0.7.1 “, to then continue later defining that of the source a ” hoax “. The VideoLAN executive, in a further comment, also points out that ” the bug is not reproducible in any way on VLC, nor does it crash “.
The same VideoLAN intervened officially through the official Twitter channel identifying the problem exactly: according to the company, the ” security problem ” is present in a third-party library (libebml), and was fixed more than 16 months ago.
VideoLAN has updated VLC with the fix starting from version 3.0.3. It is possible to read the whole comment of the company on Twitter, together with the criticisms against the modus operandi (repeated) of MITER that disclosed the CVE, and the techniques used to verify the bug. The company stresses that VLC is not vulnerable.
What to do then, if you are a regular user of the VideoLAN media player? To make sure you don’t have a vulnerability in your system, you can download the proof-of-concept video published in the original bug report, launch it with VLC and wait for the crash.
According to those who disclosed, the exploit the video crashes the player, but according to many other reports, when the file is launched, nothing happens (in our case, we did not check for any crashes with the latest VLC release, 3.0.7.1).
The bug should also involve only VLC clients for Windows, Unix and Linux, and can only be exploited through .MKV files, while those using macOS are totally safe. Furthermore, the bug does not seem to have been actively exploited in the four weeks that it should have remained active in the software. In short, there are clearly contrasting visions on the subject, but if you want to remain 100% safe in this case, just update, or don’t have a version of VLC older than 16 months.
