Update: VideoLAN tweets that VLC is no more vulnerable as the issue had been fixed more than 16 months ago. So, as users, all you need to do is update the application to its latest version.
About the “security issue” on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.Thread:
— VideoLAN (@videolan) July 24, 2019
VLC is the go-to media player software for Windows and it has a fair share of downloads on the Android and iOS mobile platforms. So, your PC or phone might also have it installed. A German security agency has discovered a potentially critical flaw. The attack is alleged to start by playing a malicious MKV video file. Attackers can then apparently hijack your device and access the files.
The VLC security flaw: What does it mean?
VLC is a popular open-source media player from a french company called VideoLAN. It recently crossed 3 billion downloads, which in itself is a testament to its fame. However, now the application is blamed with a “critical” vulnerability score of 9.8 out of 10 by CERT-Bund, the aforementioned German security agency. It is published in and as CVE-2019-13615.
If you’re wondering, the issue is in the PC (Windows, Unix, and Linux) version, which opens a backdoor for hackers to push malicious attack. This is called Remote Code Execution, which could result in a DDoS (denial of service) attack, file corruption, data theft, and more.
VLC users (PC): What can you do?
You’re advised to stay away from malformed MKV files from the internet, until the alleged flaw is patched and we are sure of no problems, whatsoever. First of all, don’t download from any shady websites. And even if something gets flushed into your Downloads folder, don’t run it. A pro tip would be to avoid pirate videos (especially MKV format) from Torrents and other such sources.
ALSO READ: Realme X FAQ – All Questions Answered
Further, you should always keep all software (VLC included) up-to-date. Ensure, VLC is updated with its latest libraries. Or you may try VLC alternatives like KMPlayer or Media Player Classic. That’s all for now.
What is VLC’s response?
The Good News is the problem isn’t yet exploited. VLC is also aware of the situation and is working around a patch. The patch is reportedly 60-percent ready. But until then many systems are vulnerable.
The VLC developers claim the issue isn’t as serious as stressed by the security agency and some sites out in the web. It tweets as follows –
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019
It further bashes the MITREcorp and CVEnew for disregarding their disclosure guidelines, which states as follows:
Contact the affected product vendor directly
You should make a good faith effort to notify the affected vendor and work with them to ensure that a patch is available prior to publicly disclosing the vulnerability. Information is more accurate and complete when researchers and vendors work together. This practice also reduces the likelihood of a duplicate CVE ID being issued, which can happen when both a researcher and vendor request CVE IDs.
Source: cve.mitre.org
VLC even highlights a reproduction problem with the original exploit report.
Did you even check this?
No one can reproduce this issue here.— VideoLAN (@videolan) July 23, 2019
We will keep you posted on this topic. You may bookmark this article for further reference. Share it within your social circle to inform your folks.
