Over the last couple of days, you must have seen some tech websites ringing alarm bells and advising you to uninstall VLC due to a bug. However, the software’s developers believe the VLC bug everyone is so terrified about is not a big deal. Hence, we don’t recommend that you uninstall the VLC media player.
All this drama surrounding VLC started after the bug in question was given a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, suggesting a “critical” vulnerability. The VLC bug could either crash the player or execute remote code. The latter one is more dangerous because it could allow attackers to get control of your system.
According to the German Computer Emergency Response Team (CERT-Bund), the agency which first highlighted the problem, the bug requires playing a malformed MKV file.
“A remote, anonymous attacker can exploit the vulnerability in VLC to execute arbitrary code, cause a denial-of-service condition, exfiltrate information, or manipulate files,” CERT-Bund said.
Further, it was said that this bug, which is officially tagged as CVE-2019-13615, does not need privilege escalation or user interaction to exploit. Moreover, German publication Heise Online reported that a customized MP4 file may trigger the bug. However, neither researchers nor CERT-Bund has confirmed any such thing.
This means your VLC player could be compromised if you a download a malicious MKV file and run it. Thus, all you have to do is stay away from MKV files or don’t download untrusted MKV files until VLC releases a patch.
VLC developers don’t believe the flaw is serious. In fact, developers say they can’t even reproduce the issue and that they weren’t even contacted before details about the flaw were published.
“Sorry, but this bug is not reproducible and does not crash VLC at all,” the developers said on VideoLAN bug tracker.
VideoLAN also took to Twitter to talk about the bug and to rebuke those who made the bug seem worse than it is.
“..the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly,” the tweet from VideoLAN stated.
Did you even check this?
No one can reproduce this issue here.
— VideoLAN (@videolan) July 23, 2019
VideoLAN’s comments should come as a relief for VLC users who have been confused the last couple of days over whether or not to uninstall VLC. Still, it would be better to stay away from untrusted MKV files for a while. If you want to be extra safe, then you can switch to another media player until a fix is released. Moreover, if you use a Mac, you don’t have to worry at all because the VLC bug in question reportedly affects only Windows, Unix and Linux.
If you want to dig deeper, you can download the proof-of-concept video to find out if it crashes the VLC media player on your system. According to The Register, it crashed VLC version 3.0.7, but Lifehacker says it observed no such issues with VLC version 22.214.171.124. It must be noted that the proof-of-concept video won’t tell if your version of VLC is safe from remote code execution or not.
VideoLAN patched another critical bug in the VLC media player last month that could have allowed a hacker to execute arbitrary code. The bug was tagged as CVE-2019-12874 and had a CVSS score of 9.8. It was discovered by Symeon Paraschoudis from Pen Test Partners.
VideoLAN patched the vulnerability with v3.0.7, which also fixes several other critical bugs, including heap buffer overflow. The heap buffer overflow issue was tagged as CVE-2019-5439 and could be exploited using a crafted .avi file. This bug was revealed by HackerOne through a bug bounty program run by the European Union. To exploit the vulnerability, a hacker would have to trick the user into opening a specially crafted file or stream.
“The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied,” VideoLAN recommended at the time.
According to VideoLAN’s Jean-Baptiste Kempf, most of the vulnerabilities revealed last month came to light through the bug bounty sponsorship via the EU-FOSSA 2 program. The program rewards hackers for discovering flaws in open-source software used by EU organizations.
However, Kempf admits that he is not in favor of bug bounties because they only encourage researchers to discover flaws and not to find fixes for the flaws.
“What about you give money to VLC instead of random hackers?” Kempf said.
These recent vulnerabilities highlight the complex nature of media players, which must support numerous file formats, codecs and text renderers. The more formats they support, the greater the chances of them having open security holes.