“The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.
This commotion all started with the publication of CVE-2019-13615, which is marked as a “critical” vulnerability with a score of 9.8 out of 10. VLC’s developers aren’t happy they weren’t even contacted before the publishing of this flaw.
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly…
— VideoLAN (@videolan) July 23, 2019
But it’s bad, right? That’s 9.8 out of 10—as security flaws go, it sounds like an incoming nuclear strike. This flaw could reportedly result in remote code execution, which is bad. Attackers could gain control of your system through a bug in VLC.
As the CVE explains, this flaw requires playing a malformed MKV file. In theory, if you download a malicious MKV file from the web and run it, it could compromise VLC—although no one claims this has ever happened in the real world. Also, the macOS version of VLC doesn’t seem to be affected.
So, even if this flaw is as bad is it appears, you just have to be careful about MKV files—don’t download untrusted MKV files and play them in VLC until a patch is released. Stay away from MKV if you’re pirating media.
But not so fast! VLC’s developers say they can’t even reproduce the issue, suggesting that there are serious problems with the original exploit report.
Did you even check this?
No one can reproduce this issue here.Read the remaining 9 paragraphs
Post a Comment Blogger Facebook
We welcome comments that add value to the discussion. We attempt to block comments that use offensive language or appear to be spam, and our editors frequently review the comments to ensure they are appropriate. As the comments are written and submitted by visitors of The Sheen Blog, they in no way represent the opinion of The Sheen Blog. Let's work together to keep the conversation civil.