You Should Wait Before Banning VLC From Your Computer

You Should Wait Before Banning VLC From Your Computer
Screenshot: David Murphy, <a href="">VLC</a>

News broke today that the VLC Media Player—immensely popular and Lifehacker-recommended—allegedly has a pretty severe bug that could allow allow a “booby-trapped” video, as The Register put it, to either crash the player or execute remote code. The former? An annoyance. The latter? A huge security issue, one that’d we recommend uninstalling VLC to address until its creator, VideoLAN, comes out with a patch.

But we’re not recommending that action just yet, because there’s a bit more to the story. The bug report for the issue has been open for four weeks, but VideoLAN president and lead VLC developer Jean-Baptiste Kempf left a series of comments today indicating that the alleged bug isn’t as big a deal as everyone is making it out to be. In three separate comments, he wrote:

“This does not crash a normal release of VLC″

“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”

“Sorry, but this bug is not reproducible and does not crash VLC at all.”

VideoLAN also took to Twitter to talk about the bug—or rather, the non-bug, if you’re taking their word for it:

So what’s a VLC fan to do?

First, you can download a proof-of-concept video for yourself to see if it crashes your VLC upon playback. (The Register reports it crashed their version of VLC—version 3.0.7—but I had no problems with the file on my Windows-based version of VLC That’s not necessairly going to tell you whether your version of VLC is safe or not, but it’s an interesting data point worth looking into.

Second, if you’re using VLC on a Mac, you’re totally fine. The bug in question allegedly only affects Windows, Unix, and Linux versions of VLC. As well, the bug only appears to affect .MKV files—if you don’t even know what that is, or don’t watch them, you’re fine.

Third, and most importantly, you have to decide who to believe: the security advisory from Germany’s Computer Emergency Response Team (CERT-Bund), which brought this entire mess to light, or VideoLAN itself, which is denying the issue’s existence and severity.

I think the waters are muddy enough that I wouldn’t go uninstalling VLC from all my systems just yet. What you could do, however, is put it in time out. For the time being, switch to a secondary media player—or, dare I say it, back to Windows Media Player—and set that up as your default player for media files (Start Button > type in “Default apps” > switch your music and video player to something else).

ImageScreenshot: David Murphy

Pay attention to VLC’s ChangeLog, and wait for the company to release a new version of the player that patches up the bug—if it’s even planning to do so. If a few minor versions (or one major version) go by and all seems well, consider going back to using VLC.

No matter what, make sure you’re always downloading the latest updates for VLC (via Help > Check for Updates). It’s also great to have VLC’s “Activate updates notifier” option enabled in its settings, so you’ll know immediately when it’s time for a new version of the app.

ImageScreenshot: David Murphy


  • As well, the bug only appears to affect .MKV files—if you don’t even know what that is, or don’t watch them, you’re fine.

    NOT good advice. Considering Windows often hides file extensions a lot of people won’t know the difference between an MPG, AVI or MKV. All they’ll know is that it’s a video file. It’s also trivial to rename a dodgy file from “gonnabreakyourpc.mkv” to “perfectlysafe.mp4” and a VLC would still attempt to play it and potentially get hit by the bug *

    * assuming there is a bug in the first place. Which seems kinda doubtful.

    • *ugh* tried to reply but it vanished with no error message. So I dunno what happened there.

      This quote suggests it’s a non-issue if you have an up to date version:

      Update 7/24: VideoLAN took to Twitter earlier this morning to clarify that the security issue discovered by CERT-Bund is not as severe as reported. VideoLAN says the issue was in a 3rd party library, called libebml, which was fixed more than 16 months ago. Mitre’s claim was based on a previous (and outdated) version of VLC, not 3.0.3 or more recent, which has the corrected version.

      Taken from:

      It’d be nice if Gizmodo and Lifehacker could be on the same page. Pretty disconcerting for readers when you have contradictory articles.

Show more comments

Log in to comment on this story!