The developers of the VLC media player have been involved into a new controversy. Recently, an alleged report by information security audit experts stated that this software had increasing security flaws that exposed users to malicious activities such as remote code execution.
The report, revealed in past days, even claimed
that, using a video loaded with malicious code, a threat actor could block or
abuse the media player to run malware on the target system.
Due to the uproar caused by this news, the developers
of the open source tool, which has been downloaded by billions of users,
decided to make some statements. According to information security audit
experts, the staff behind VLC says that while software error exists, exploiting
it is virtually impossible.
Last month, the U.S. National Institute of Standards and Technology
(NIST) documented buffer overflow vulnerability present in VLC 3.0.7.1, the
latest version of the media player.
Even though NIST, and even CERT, registered the
vulnerability and rated it as “critical”, the developers claim that
the flaw is not exploitable but, how do they support this claim?
A group of information security audit experts
tried to exploit the flaw using a proof-of-concept designed a few weeks ago and
requiring an mp4 video loaded with malware, finding that the vulnerability
cannot be exploited the way it is explained in the report. Experts also
attempted the attack in previous versions of VLC, without any success.
Francois Cartegnie, one of the developers of
VLC, was upset through his social media profiles by the cybersecurity
community’ backgrounds; “Next time I suggest you check your sources and
reconsider your false accusations,” he said.
The developers of VLC add that there is no need
to release an update patch: “if you use the latest version with the latest
libraries there is nothing to worry about”, they say. According to experts
from the International Institute of Cyber Security (IICS), the vulnerability
resided in the libebml library, so if VLC uses versions earlier than 1.3.6,
operators are likely to experience some bugs such as those presented in the
proof of concept.
