topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 6:34 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: VLC player has critical security flaw - July 23, 2019 - UPDATED  (Read 7110 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Yikes -- this is concerning if you use VLC player to play media files.

Researchers from German firm CERT-Bund say they have detected a major safety flaw in the video player, which has been downloaded billions of times across the world, which could allow hackers access to compromise users' devices.

« Last Edit: July 24, 2019, 01:28 PM by mouser »

ConstanceJill

  • Supporting Member
  • Joined in 2012
  • **
  • Posts: 205
    • View Profile
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #1 on: July 24, 2019, 01:21 AM »
It's only concerning if you play files from untrusted sources, though.

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #2 on: July 24, 2019, 01:46 AM »
true

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #3 on: July 24, 2019, 05:40 AM »
Yeah, I never did trust Bach anyway.
But in all seriousness, knowing of a flaw like that wouldn't bother me as I never have trusted VLC anyway. For years I have used it as my main/preferred audio player, but it was always blocked in the settings from going out to the net and I also blocked it at the firewall, just in case. Same with Windows Media Player - but that was because I figured MS (with its deliberate "Rights Management") was in cahoots with the apparent US government corruption by organisations such as (for example) the RIAA and MPAA, who had also got themselves embedded tick-like with the NZ government. Basically "legally" spying on users via ISPs, collecting their usage and downloading metadata and phoning home to good ol' MSHQ or somesuch with the info, prosecuting people for downloading freely available material. No thanks. I don't leave my door open for people/censors like that. My kids could (and do) download all sorts of harmless stuff that I don't need to know about - the harmful (e.g., malware, virus, trojan) stuff is automatically caught and blocked though.
That's why I used Windows Firewall Control (now owned by Malwarebytes), MAFIAA Fire, Simple DNSCrypt and the SoftEther VPN Client + VPN Gate Client Plug-in.

I value and protect the online security and privacy of myself and my family and I don't accept snooping and being "hit" by anyone, especially US or other nation corporate mafia-type organisations sanctioned by the state.
« Last Edit: July 24, 2019, 07:33 AM by IainB »

Curt

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 7,566
    • View Profile
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #4 on: July 24, 2019, 06:09 AM »
I never did trust Bach anyway.

yet   he will be Bach

IainB

  • Supporting Member
  • Joined in 2008
  • **
  • Posts: 7,540
  • @Slartibartfarst
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #5 on: July 24, 2019, 07:03 AM »
I never did trust Bach anyway.
-IainB (Today at 05:40:09)

yet   he will be Bach
Har-de-har-har.
I just put that joke in as a placeholder whilst I wrote a (hopefully) useful response (done now, see above).

What is the question, the answer to which is "9W"?
Spoiler
Is that spelt with a "V" herr Vagner?


mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,896
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #6 on: July 24, 2019, 01:29 PM »
UPDATE:

https://www.ghacks.n...layer-vulnerability/
"Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End"

From VLC: "End of story: VLC is not vulnerable, whether this is 3.0.7.1 or even 3.0.4. The issue is in a 3rd party library, and it was fixed in VLC binaries version 3.0.3, out more than one year ago…"

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: VLC player has critical security flaw - July 23, 2019 - UPDATED
« Reply #7 on: July 25, 2019, 01:48 AM »
Update: VideoLAN confirmed that the issue was not a security issue in VLC Media Player. The engineers detected that the issue was caused by an older version of the third-party library called libebml that was included in older versions of Ubuntu. The researcher used that older version of Ubuntu apparently. End

Wut? :huh:

The TechRadar article says:

The issue has been detected in the Windows, Linux and UNIX versions of VLC, however the macOS version appears to be unaffected.

VideoLAN, the not-for-profit organisation beind VLC Media Player, says it has been working on a patch for the flaw for the last four weeks, and is 60 percent through.

Where did they get the information that the exploit exists on multiple OSes and that VideoLAN was only 60% finished with a patch for the flaw when VideoLAN says it was fixed over a year ago and only vulnerable on an old* version of Ubuntu which uses an old 3rd party library?




* To be fair to the researcher, the "old" version of Ubuntu is supposedly Ubuntu 18.04, which is the most recent LTS version of Ubuntu.
« Last Edit: July 25, 2019, 01:57 AM by Deozaan »