No, Do Not Uninstall VLC Due To Recent VLC Bug

No, Do Not Uninstall VLC Due To Recent VLC Bug
OpenClipart-Vectors / Pixabay

Over the last couple of days, you must have seen some tech websites ringing alarm bells and advising you to uninstall VLC due to a bug. However, the software’s developers believe the VLC bug everyone is so terrified about is not a big deal. Hence, we don’t recommend that you uninstall the VLC media player.

Play Quizzes 4

All this drama surrounding VLC started after the bug in question was given a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, suggesting a “critical” vulnerability. The VLC bug could either crash the player or execute remote code. The latter one is more dangerous because it could allow attackers to get control of your system.

According to the German Computer Emergency Response Team (CERT-Bund), the agency which first highlighted the problem, the bug requires playing a malformed MKV file.

[Exclusive] ExodusPoint Is In The Green YTD Led By Rates And EM/ Macro Strategies

Invest ESG Leon CoopermanThe ExodusPoint Partners International Fund returned 0.36% for May, bringing its year-to-date return to 3.31% in a year that's been particularly challenging for most hedge funds, pushing many into the red. Macroeconomic factors continued to weigh on the market, resulting in significant intra-month volatility for May, although risk assets generally ended the month flat. Macro Read More

“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” CERT-Bund said.

Further, it was said that this bug, which is officially tagged as CVE-2019-13615, does not need privilege escalation or user interaction to exploit. Moreover, German publication Heise Online reported that a customized MP4 file may trigger the bug. However, neither researchers nor CERT-Bund has confirmed any such thing.

This means your VLC player could be compromised if you a download a malicious MKV file and run it. Thus, all you have to do is stay away from MKV files or don’t download untrusted MKV files until VLC releases a patch.

VLC developers don’t believe the flaw is serious. In fact, developers say they can’t even reproduce the issue and that they weren’t even contacted before details about the flaw were published.

“Sorry, but this bug is not reproducible and does not crash VLC at all,” the developers said on VideoLAN bug tracker.

VideoLAN also took to Twitter to talk about the bug and to rebuke those who made the bug seem worse than it is.

“..the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly,” the tweet from VideoLAN stated.

VideoLAN’s comments should come as a relief for VLC users who have been confused the last couple of days over whether or not to uninstall VLC. Still, it would be better to stay away from untrusted MKV files for a while. If you want to be extra safe, then you can switch to another media player until a fix is released. Moreover, if you use a Mac, you don’t have to worry at all because the VLC bug in question reportedly affects only Windows, Unix and Linux.

If you want to dig deeper, you can download the proof-of-concept video to find out if it crashes the VLC media player on your system. According to The Register, it crashed VLC version 3.0.7, but Lifehacker says it observed no such issues with VLC version It must be noted that the proof-of-concept video won’t tell if your version of VLC is safe from remote code execution or not.

VideoLAN patched another critical bug in the VLC media player last month that could have allowed a hacker to execute arbitrary code. The bug was tagged as CVE-2019-12874 and had a CVSS score of 9.8. It was discovered by Symeon Paraschoudis from Pen Test Partners.

VideoLAN patched the vulnerability with v3.0.7, which also fixes several other critical bugs, including heap buffer overflow. The heap buffer overflow issue was tagged as CVE-2019-5439 and could be exploited using a crafted .avi file. This bug was revealed by HackerOne through a bug bounty program run by the European Union. To exploit the vulnerability, a hacker would have to trick the user into opening a specially crafted file or stream.

“The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommended at the time.

According to VideoLAN’s Jean-Baptiste Kempf, most of the vulnerabilities revealed last month came to light through the bug bounty sponsorship via the EU-FOSSA 2 program. The program rewards hackers for discovering flaws in open-source software used by EU organizations.

However, Kempf admits that he is not in favor of bug bounties because they only encourage researchers to discover flaws and not to find fixes for the flaws.

“What about you give money to VLC instead of random hackers?” Kempf said.

These recent vulnerabilities highlight the complex nature of media players, which must support numerous file formats, codecs and text renderers. The more formats they support, the greater the chances of them having open security holes.

Updated on

Aman is MBA (Finance) with an experience on both Marketing and Finance side. He has worked as a Risk Analyst for AIR Worldwide, and is currently leading VeRa FinServ, a Financial Research firm. Favorite pastimes include watching science fiction movies, reviewing tech gadgets, playing PC games and cricket. - Email him at
Previous article The Hidden Cost Of Expense Management Operations Revealed
Next article Defining Reasonable Discount Rates In Nascent Markets

No posts to display