Info suggesting that the popular VLC Media Player has a large security vulnerability is making rounds on the Internet. The gap is allegedly designed to allow the use of properly crafted video material and freezing the player or even executing malicious scripts.
The creators see no problem
But before we uninstall the program from our hard rives, let's stop for a moment and take a closer look. The bug was reported as early as four weeks ago and was considered critical, but the developers did not seem to care much about it. After some time the matter became public and Jean-Baptiste Kempf, the main developer of VLC, presented his position on the forum. He's published a few posts:
This does not suspend the normal release of VLC 126.96.36.199.
If you found this report after reading the news abour a critical error in VLC, I suggest you read the above entry and consider your source of (false) information.
Sorry, but this error cannot be reproduced and it does not cause the VLC to freeze.
Some of the discussions have moved to Twitter.
How to live?
You can try to cause the error on your own, using a file published on the forum and see if the application decides to freeze. However, this will not answer the question whether it is immune to remote scripting.
We decided to check in Windows what happens when you try to play the file from the forum using VLC in three versions: 3.0.6, 3.0.7 and 188.8.131.52. And nothing suspicious has happened. The problem appeared only when loop playback was enabled - then the application actually froze, although the reasons for that may have been different. Most curious...
The problem should concern only VLC releases on Windows and Linux and files in .MKV format. It is hard to say who is right - the developers (VideoLAN), who downplay the significance of the reports, or the security specialists from the German Computer Emergency Response Team (CERT-Bund). However, it is worth taking care to update the program in real time and not to play files from unknown sources.