Sometime during the month of July, a lot of online websites reported that there was a huge security flaw in VLC. Which, as most of you know is one of the most trusted open-source, multi-media applications. In these articles, the readers were urged to uninstall VLC immediately in order to avoid any security breaches. What the readers didn’t know however was that these were all exaggerated security flaws and extremely outdated.
What Went Down
The various reports were based on disclosure by a German security agency which stated that VLC had a critical RCE (remote code execution) exploit. This basically means that hackers can control the infected devices. They could install and modify applications, run payloads by accessing your accounts, and even steal personal private information.
Then a report was filed regarding the software vulnerability disclosure. It was sent to Mite Corp which is a US government-funded organization. Their main purpose is to look for CVEs or Common Vulnerabilities and Exposures. The RCE was then listed on the National Vulnerability Database and garnered a vulnerability score of 9.8 which is classified as critical.
VLC Clears Up Exaggerated Security Flaws
After the reports, VLC finally took to Twitter to clarify everything that happened.
According to VideoLAN, the problem was a bug in a third-party library that they have already patched – 16 months ago.
Shortly after, VLC added that responsible reporting must be practiced at all times. Jean-Baptiste Kempf, VideoLAN President said that “In infosec, everything is about getting clicks. We’re at the level of tabloids”.
If you haven’t already noticed, online reports nowadays have deceiving titles that function as clickbait. Who can blame them? After all, they generate money with the number of views they get on their pages. But most times, clickbait becomes exaggerated and misinformation is spread instead.
After VideoLAN clarified the bug, most of the online reports updated and edited the content. The NVD report was also decreased and mentioned the third-party library. However, these edited articles didn’t get as much exposure as the original article. So, chances are, most people still have VLC uninstalled.
Security Researchers and Developers
The main problem that Kempf pointed out was that they received no notice whatsoever from the security researchers regarding the software vulnerability disclosure. They posted it right away before checking with the company to see whether it was accurate or not. Not only is this behavior unethical, it is also very harmful.
Before anything, researchers must make sure they fully understand the company’s network and system before even conducting their researchers. The main reason behind this whole exaggerated security flaws problem was because they used an outdated version of VLC.
Mitre also did not notify VideoLAN that they would be making the disclosure public. But Kurt Seifried, Chief Blockchain Officer and Director of Special Projects at the CloudSecurityAlliance quickly responded that verifying every single CVE report is impossible.
“I understand that they cannot check every CVE, but that they approve a CVE at 9.8 and don’t stop for one second to look at it or to contact the developers? That makes no sense,” responded Kempf. “You publish something on your website, you’re responsible. You’re not the one assigning CVEs? I don’t care. It’s not my problem. There’s false information on your website. Fix it!”