Critical flaw in VLC media player leaves PCs exposed, VideoLAN says otherwise

Humza

Posts: 881   +162
Staff member

Identified as CVE-2019-13615, the vulnerability in the hugely popular VLC media player (version 3.0.7.1) was recently discovered by German security agency CERT-Bund and given a rating of 9.8 in the NIST's National Vulnerability Database.

Apparently, the flaw leaves billions of computers exposed to remote code execution (RCE) where hackers can get unauthorized access to install and execute malicious code and modify files/data on target machines and cause disruption through denial-of-service attacks.

Although the bug has been open at VideoLAN's end for the past four weeks, and the team is 60 percent through working on a fix, VLC developer Jean-Baptiste Kempf says the issue is not reproducible and doesn't crash a normal release of VLC 3.0.7.1, reports lifehacker, with Kempf making the following comments:

"This does not crash a normal release of VLC 3.0.7.1"

"If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources."

Twitter handle of the VideoLAN team also had a word with CVE on how the issue was reported publicly.

Reportedly, the bug doesn't affect macOS users so they can continue using the software without any problems. Those on either Windows, Linux or Unix are advised to practice caution as things proceed because it's rather tricky to pick a side between the German Computer Emergency Response Team (CERT-Bund) who first brought the issue to light or VideoLAN, the non-profit organization behind the open-source media player.

In the meantime, the better approach is to temporarily retire the software until a patch becomes available, and use another alternative like KMPlayer, GOM Player or Media Player Classic. Though if you feel like it, you can download the proof-of-concept video from the original filer of the bug to see if it crashes your VLC installation (it didn't crash on my end) and decide for yourself.

Permalink to story.

 

seeprime

Posts: 573   +695
I opened the heap-over-flow.mp4 file (WIndows 10 Pro 64-bit). All it did was lock up VLC 3.0.7.1. Task Manager closed it. It didn't crash. So, if any new videos act weirdly, they've been modified. This doesn't seem to be a real problem, at least for now.
 

DukeJukem

Posts: 234   +232
Besides the sharpening slider, I dont see why people use vlc anymore. media player classic black edition is the best imo
 

trparky

Posts: 943   +993
I opened the heap-over-flow.mp4 file (WIndows 10 Pro 64-bit). All it did was lock up VLC 3.0.7.1. Task Manager closed it. It didn't crash. So, if any new videos act weirdly, they've been modified. This doesn't seem to be a real problem, at least for now.
Not even that, I open the file in the same version of VLC on a Windows 10 Pro 64-bit system and nothing happened. No lock-up, nothing happened. I could still open the About window after opening the file. The window did blink but that's about it. I even enabled Windows Defender Exploit Guard for VLC and opened the file again, nothing happened.
 

antiproduct

Posts: 194   +229
After freaking out that I just installed VLC 3.0.7.1 on about 30 computers over the past couple weeks, I started researching. Apparently there's an update to all this:

VidelLAN tweeted:
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

also:
The VLC CVE on the National Vulnerability Database has now been updated, downgrading the severity of the issue from a Base Score of 9.8 (critical) to 5.5 (medium), with the change log also specifying that the “Victim must voluntarily interact with attack mechanism.”

From:
https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101
 

Squid Surprise

Posts: 4,136   +3,320
A bit suspicious how VLC people are so quick to defend.... “it doesn’t crash VLC”.... so what? The vulnerability states that it leaves the PC vulnerable - it doesn’t need to crash for that to be true... and while they say it isn’t reproducible, they are “almost finished” a fix.... if it really isn’t broken, why does it need a fix?
 
A bit suspicious how VLC people are so quick to defend.... “it doesn’t crash VLC”.... so what? The vulnerability states that it leaves the PC vulnerable - it doesn’t need to crash for that to be true... and while they say it isn’t reproducible, they are “almost finished” a fix.... if it really isn’t broken, why does it need a fix?

What I find suspicious is people like you commenting a technical issue without the background to understand it.

The guy who reported publicly the "supposed" issue did TOTALLY **** it up. And now he even apologies regarding all the mess everywhere (valid for here also).
https://trac.videolan.org/vlc/ticket/22474#comment:26

- Yes we're fast telling there no issue, because we know our product, we know what we previously fixed, and even the author of that library is part of the team, so HE knows.
- Reporter used an OLD library which was FIXED 18 months ago.
- Reported tagged himself progress and such. We NEVER did.
- CERT just browsed public issues and PICKED is AS IS, without mandatory comments and verification
- Additionally CERT did totally **** up rating the issue. If you want something easy, how is that related to network or every vlc versions ? (how old is MKV)

Team is already small enough, we don't have time to waste on BOGUS issues and Gizmodo's stupid and unverified recommandations.

When there's security issues, we patch them in time.

Oh, yeah, and you can run away to use other products. Since they use the really same libraries, I hope for you they do use the fixed ones we release...