News broke out today that the VLC Media Player has a potentially serious security flaw. Various media outlets have even asked their readers to stay away from the media player and outright adviced readers to uninstall it as the flaw can reportedly be used to launch remote code executions, corrupt files, steal data, and do a lot more damage. However, there is another side of the story being told by VLC developers, which hasn’t been reported as widely yet.
The security flaw, CVE-2019-13615, was apparently discovered in version 3.0.7.1 of VLC by CVE and reported by CERT-Bund. The vulnerability currently has a NIST threat score of 9.8 out of 10, which classifies it as a critical threat. As explained by CVE, the flaw requires you to play a malformed MKV file and in theory, if one downloads a malicious MKV file, the VLC bug could be used to execute code remotely and cause damage ranging from data theft to service disruption. The macOS version of the software doesn’t seem to be affected and there have been no reports of the flaw being misused yet.
However, there's more to the story. VLC developers claim that the original exploit report is incorrect since they already fixed the flaw with version 3.0.3 of the app.
Lead VLC developer, Jean-Baptiste Kempf commented that the alleged bug isn’t as big of a deal as everyone is making it out to be. In a comment, he also wrote - “This does not crash a normal release of VLC 3.0.7.1.” Another VLC developer, Francois Cartegnie, wrote, “If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”
VideoLAN also took to Twitter to talk about the matter, and wrote "a reporter, opened a bug on our bugtracker, which is outside of the reporting policy, aka, mail us in private on the security alias." They further added, "the reporter is using Ubuntu 18.04, which is an old version of Ubuntu, and clearly has not all the updated libraries." You can check their official statements in the thread mentioned below.
About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim. Thread:
— VideoLAN (@videolan) 24 July 2019
from Latest Technology News https://ift.tt/2SD8PR7
No comments:
Post a Comment