VLC Player temporarily affected by very dangerous security flaw, but it's been patched
Do you use VLC Player?
VLC Player is one of the most popular free, open-source, cross-platform media players in the world, if not the most popular.
Basically, most people who torrent movies and TV shows watch them on VLC player.
Shockwaves were sent through the tech world on Thursday when a German security agency called CERT-Bund discovered what appeared to be a dangerous security flaw in the software.
The security watchdog gave the software a score of 9.8, describing its vulnerability as critical.
Tech webiste Gizmodo had made the claim that:
"The vulnerability allows for RCE (remote code execution) which potentially allows bad actors attackers to install, modify, or run software without authorisation, and could also be used to disclose files on the host system.
"Translation: VLC’s security hole could allow hackers to hijack your computer and see your files."
VideoLAN, the developer behind VLC Player, has since gone on the offensive, excoriating several publications for repeating the claim without contacting them for comment.
In a thread on Twitter, VideoLAN has explained:
"The issue is in a third party library, called libebml, which was fixed more than 16 months ago."
They further revealed that a patch had been issued for the flaw 16 months ago, and CERT-Bund has downgraded their risk to 5.5 — alongside the comment, "Victim must voluntarily interact with attack mechanism."
About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
— VideoLAN (@videolan) July 24, 2019