News broke today that the VLC Media Player—immensely popular and Lifehacker-recommended—allegedly has a pretty severe bug that could allow allow a “booby-trapped” video, as The Register put it, to either crash the player or execute remote code. The former? An annoyance. The latter? A huge security issue, one that’d we recommend uninstalling VLC to address until its creator, VideoLAN, comes out with a patch.
But we’re not recommending that action just yet, because there’s a bit more to the story. The bug report for the issue has been open for four weeks, but VideoLAN president and lead VLC developer Jean-Baptiste Kempf left a series of comments today indicating that the alleged bug isn’t as big a deal as everyone is making it out to be. In three separate comments, he wrote:
“This does not crash a normal release of VLC 3.0.7.1″
“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”
“Sorry, but this bug is not reproducible and does not crash VLC at all.”
VideoLAN also took to Twitter to talk about the bug—or rather, the non-bug, if you’re taking their word for it:
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019
Did you even check this?
No one can reproduce this issue here.— VideoLAN (@videolan) July 23, 2019
So what’s a VLC fan to do?
First, you can download a proof-of-concept video for yourself to see if it crashes your VLC upon playback. (The Register reports it crashed their version of VLC—version 3.0.7—but I had no problems with the file on my Windows-based version of VLC 3.0.7.1.) That’s not necessairly going to tell you whether your version of VLC is safe or not, but it’s an interesting data point worth looking into.
Second, if you’re using VLC on a Mac, you’re totally fine. The bug in question allegedly only affects Windows, Unix, and Linux versions of VLC. As well, the bug only appears to affect .MKV files—if you don’t even know what that is, or don’t watch them, you’re fine.
Third, and most importantly, you have to decide who to believe: the security advisory from Germany’s Computer Emergency Response Team (CERT-Bund), which brought this entire mess to light, or VideoLAN itself, which is denying the issue’s existence and severity.
I think the waters are muddy enough that I wouldn’t go uninstalling VLC from all my systems just yet. What you could do, however, is put it in time out. For the time being, switch to a secondary media player—or, dare I say it, back to Windows Media Player—and set that up as your default player for media files (Start Button > type in “Default apps” > switch your music and video player to something else).
Pay attention to VLC’s ChangeLog, and wait for the company to release a new version of the player that patches up the bug—if it’s even planning to do so. If a few minor versions (or one major version) go by and all seems well, consider going back to using VLC.
No matter what, make sure you’re always downloading the latest updates for VLC (via Help > Check for Updates). It’s also great to have VLC’s “Activate updates notifier” option enabled in its settings, so you’ll know immediately when it’s time for a new version of the app.
Leave a Reply
You must be logged in to post a comment.