Tuesday, July 23, 2019

No, You Don’t Need to Uninstall VLC

VLC shortcut icon on a Windows desktop

“The sky is falling; uninstall VLC right now!” That’s the advice some websites are providing. But the purported VLC flaw is overblown—and, according to VLC’s developers, may not even be a real risk.

This commotion all started with the publication of CVE-2019-13615, which is marked as a “critical” vulnerability with a score of 9.8 out of 10. VLC’s developers aren’t happy they weren’t even contacted before the publishing of this flaw.

But it’s bad, right? That’s 9.8 out of 10—as security flaws go, it sounds like an incoming nuclear strike. This flaw could reportedly result in remote code execution, which is bad. Attackers could gain control of your system through a bug in VLC.

As the CVE explains, this flaw requires playing a malformed MKV file. In theory, if you download a malicious MKV file from the web and run it, it could compromise VLC—although no one claims this has ever happened in the real world. Also, the macOS version of VLC doesn’t seem to be affected.

So, even if this flaw is as bad is it appears, you just have to be careful about MKV files—don’t download untrusted MKV files and play them in VLC until a patch is released. Stay away from MKV if you’re pirating media.

But not so fast! VLC’s developers say they can’t even reproduce the issue, suggesting that there are serious problems with the original exploit report.

No comments:

Post a Comment