The developers of the VLC media player have been involved into a new controversy. Recently, an alleged report by information security audit experts stated that this software had increasing security flaws that exposed users to malicious activities such as remote code execution.
The report, revealed in past days, even claimed that, using a video loaded with malicious code, a threat actor could block or abuse the media player to run malware on the target system.
Due to the uproar caused by this news, the developers of the open source tool, which has been downloaded by billions of users, decided to make some statements. According to information security audit experts, the staff behind VLC says that while software error exists, exploiting it is virtually impossible.
Last month, the U.S. National Institute of Standards and Technology (NIST) documented buffer overflow vulnerability present in VLC 188.8.131.52, the latest version of the media player.
Even though NIST, and even CERT, registered the vulnerability and rated it as “critical”, the developers claim that the flaw is not exploitable but, how do they support this claim?
A group of information security audit experts tried to exploit the flaw using a proof-of-concept designed a few weeks ago and requiring an mp4 video loaded with malware, finding that the vulnerability cannot be exploited the way it is explained in the report. Experts also attempted the attack in previous versions of VLC, without any success.
Francois Cartegnie, one of the developers of VLC, was upset through his social media profiles by the cybersecurity community’ backgrounds; “Next time I suggest you check your sources and reconsider your false accusations,” he said.
The developers of VLC add that there is no need to release an update patch: “if you use the latest version with the latest libraries there is nothing to worry about”, they say. According to experts from the International Institute of Cyber Security (IICS), the vulnerability resided in the libebml library, so if VLC uses versions earlier than 1.3.6, operators are likely to experience some bugs such as those presented in the proof of concept.