First of all, read this https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101
If you wish, you can read an article which is based on the first one, but is different and newer: https://www.pcgamer.com/vlc-media-player-has-a-critical-security-flaw/

I strongly recommend the K-Lite Codec Pack (Mega Edition, because why not) and the associated Media Player Classic - Home Cinema
https://www.codecguide.com/download_k-lite_codec_pack_mega.htm

TL,DR: VLC has a MAJOR, as-of-yet unpatched security flaw allowing RCE (hackers) onto your PC, Unix or Linux computer. HOWEVER, you have to do a lot of stuff in order to make this exploit be anywhere close to an issue for you. Use caution in downloading stuff.

The security flaw allows for remote code execution (RCE), which gives hackers total access to your computer to install, run, and modify anything on it without your knowledge. Additionally, hackers can exploit the issue to cause denial-of-service attacks, which is a common function of certain malware. CERT-Bund has given this a base vulnerability score of 9.8 out of 10.

PS:Comments have stated this to not be as much of an issue as the two articles say, if caution is used and malicious .mkv files are avoided. Sorry for the overstatement at first; I was reporting based off of what I knew at the time.

PPS: It seems that the gizmodo article was nothing more than clickbait, or relied on someone with an older version of VLC downloading (and playing in VLC) a malicious .mkv file (what even are these? has anyone used these in the last 5 years? I kid, I kid. 😎). I apologize for blowing this out of proportion, and yet I, in all good faith, reported here on what I knew at the time.
Thank you to those users who have supplied further information to me about this issue. I truly appreciate all of you. I'll do my best to not get scared into posting a "PSA: bug report" in the future.

https://twitter.com/videolan/status/1153963312981389312 (and associated thread):
About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

TL;DR #2: Gizmodo reported on what is a non-issue for most users and scared a lot of people thereby.
Update VLC to the latest version (it probably would be a not-bad idea to upgrade your non-VLC players to the latest versions of those); continue to apply VLC (etc) updates as they release; if you use Ubuntu (read this thread, please), to be fully on the safe side, update the libebml library and see if you need to manually remove the old version (if such a thing is possible, I don't know as I don't use linux); remember to always scan your downloads before opening them; and you should be good.

5 years ago*

Comment has been collapsed.

oh my dog!!

View attached image.
5 years ago
Permalink

Comment has been collapsed.

Cute doggo. 😀

5 years ago
Permalink

Comment has been collapsed.

Haha, I love the gif :)

5 years ago
Permalink

Comment has been collapsed.

View attached image.
5 years ago
Permalink

Comment has been collapsed.

Better version:

View attached image.
5 years ago
Permalink

Comment has been collapsed.

This is Not really any Problem whatsoever as Long as You dont Download Torrents from untrusted sources. Just ignore this post

5 years ago
Permalink

Comment has been collapsed.

Done!

5 years ago
Permalink

Comment has been collapsed.

Yeah, these days it's easy to avoid malicious stuff since most sites have trusted sources either marked or in some categories you'll just have popular names, like ETTV/EZTV for TV and TV movie stuff.

Though, regardless, caution should always be taken.

5 years ago
Permalink

Comment has been collapsed.

Lol, this.

5 years ago
Permalink

Comment has been collapsed.

Why would anyone want to install a codec pack in 2019? Almost every single popular media player beyond MPC has a full codec integration in them. Furthermore, why add dozens to hundreds of different codecs when you can add only LAV which plays literally everything?

By the way, apparently it is a Matroska demux issue, so you'd have to run a malicious MKV file to trigger it.

5 years ago*
Permalink

Comment has been collapsed.

This

5 years ago
Permalink

Comment has been collapsed.

You don't need a CODEC pack with MPC-HC either. It has natively handled everything I've ever thrown at it.

5 years ago
Permalink

Comment has been collapsed.

1) Because many old games use video codecs that no modern version of windows natively comes with. The easy solution is to install a codec pack (only 50 or so MB) and now the game runs. I have personal experience of this.

2) Thank you for the information.

5 years ago
Permalink

Comment has been collapsed.

Old games use either QuickTime or one of the RAD formats. (Or Indeo, but Windows natively supports it since like forever.) If it is QuickTime, many semi-maintained games had the videos converted (most GOG games did), or you should run them in a sandbox/VM as the Windows Quicktime support ended ages ago and Apple said they do not give a fuck about fixing the glaring security holes that were found in the Win edition. The one in K-Lite has the same issue.
As for RAD, LAV supports it for years.

5 years ago
Permalink

Comment has been collapsed.

some of the indeo codecs were not included (in a usable fashion) in win 7; maybe they have been restored in later versions. Civ 2's videos would not play in-game without this codec pack. IIRC, AoE2 had the same issues, as did one or two other of our CD-based games from my childhood. However, thank you for the info!

5 years ago
Permalink

Comment has been collapsed.

K-Lite Codec Pack does not install nor use Quicktime, it relies on LAV filters to play most video formats.

You would only need to install Quicktime if you want to author and create MOV files. But these days MP4 and MKV are pretty much the standard containers.

5 years ago
Permalink

Comment has been collapsed.

But why install it through K-Lite then and add all the crap? LAV is more than enough on its own without the bloatware. :)

5 years ago
Permalink

Comment has been collapsed.

I wouldn't call it bloatware. K-Lite is a convenient collection of up-to-date components including DirectShow filters (LAV filters, DirectVobSub, madVR), a video player (MPC-HC) as well as related tools (like MediaInfo and Icaros for thumbnails in explorer).

It comes in several variants, where the larger ones including more codecs depending on your needs (like ffdshow, XViD, and x264 if you need encoding videos). You can read more on their website codecguide dot com.

5 years ago
Permalink

Comment has been collapsed.

can someone explain to me how that flaw would work in practice?
I mean, in my case, I only use a local copy of VLC to play local files - nothing over a network, no permission to go through my firewall. So how would it be a problem?

5 years ago
Permalink

Comment has been collapsed.

this is a question that i also had, but....

5 years ago
Permalink

Comment has been collapsed.

This gizmodo article is beyond stupid!

To be affected, you would have to download and play a specially crafted MKV file created specifically to take advantage of this bug... You won't get "hacked" as the article implies just by having VLC installed :(

5 years ago
Permalink

Comment has been collapsed.

article conclusion is also huge:

"...you’ve been warned"

LOL

5 years ago
Permalink

Comment has been collapsed.

thanks for this, Micro.

also:

"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"

and from comments:

"the bug only affects opening MKV files. If you don’t download MKV video files from the Internet (torrents), then you are extremely unlikely to encounter a malicious file"

it seems lil' clickbait, but still.
from this one:

For anyone reading, please refer to the actual ticket where one of the lead developers on VLC claims that as of VLC 3.0.7.1 (and likely earlier)
the bug is not reproducible and does not crash:
https://trac.videolan.org/vlc/ticket/22474#comment:3

5 years ago
Permalink

Comment has been collapsed.

Thank you for the info!

It was not my intention to be clickbait-y (I hope the updated title thread reflects this); I was trying to be helpful and merely going off the information which I had at the time. From what I had read, nothing was stated as to how this bug was tripped (and thus how one could avoid doing so), only that "there is this major hole which could be used somehow, so avoid having bad eggs use it by uninstalling the program now."

Also, that means that I--maybe--didn't have to uninstall my old version of VLC. 😳

5 years ago
Permalink

Comment has been collapsed.

I was trying to be helpful

c'mon, say the truth... where do you hide your Monthly referral? :D

you've been helpful, Micro.
"clickbait" was for gizmodo, cause those are "profitable clicks" (and, at same time, "shit" on VLC).

my copy of VLC is here, calmly waiting fo' da patch! :P

5 years ago
Permalink

Comment has been collapsed.

this is why I don't share scary stuff I read online without researching it more thoroughly.

5 years ago
Permalink

Comment has been collapsed.

"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"

I don't get why some people say that 60% is "only 60%". A major flaw was found and in such a short span more than 60% was done. I'd say that's pretty quick.

Regardless, these issues will inevitably happen, so it is what it is. The faster the better. But the VLAN guys didn't leave the mistake in maliciously. Free software will never be perfect. This is as perfect as anything can really get.

Thanks for the info btw :D

5 years ago
Permalink

Comment has been collapsed.

why some people say that 60% is "only 60%"

<3

5 years ago
Permalink

Comment has been collapsed.

Uninstalled. I don't use it anyways, so I don't see any reason to keep it in my laptop.

5 years ago
Permalink

Comment has been collapsed.

Do you use any other video player or do you just not watch videos?

5 years ago
Permalink

Comment has been collapsed.

Maybe he just watches everything online.

5 years ago
Permalink

Comment has been collapsed.

Yeah, forgot about streaming services. Though I also live in an area where I have fewer shows and movies in those services than the Vatican City has.

The pope has more stuff to watch than me. Damn it.

5 years ago
Permalink

Comment has been collapsed.

Like ChibiCthulhu said, I watch everything online.

5 years ago
Permalink

Comment has been collapsed.

Hmm? There is no problem if you are using in an environment where you do not play the "external media" carelessly.

However, in environments where there is a possibility of playing "external media", it may be necessary to temporarily take measures such as uninstalling.
(It is not good if the media player that plays with priority is VLC.)

There is no problem as long as you don't play "poisoned".

And when new versions come out, be sure to update.

5 years ago
Permalink

Comment has been collapsed.

VideoLAN: "About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did https://twitter.com/videolan/status/1153963312981389312

I saw it and tried to post
Other people have already written. XD
BUMP to catch eyes

5 years ago
Permalink

Comment has been collapsed.

Pfft, only amateurs use VLC! I just upload all my video files to Youtube and put them on private!

5 years ago
Permalink

Comment has been collapsed.

clickbait™ everyone dies™ end of the world™ 🙋

5 years ago
Permalink

Comment has been collapsed.

Like several people said there is no reason to uninstall VLC due to this because the only way to get "hacked" is to download specially crafted file designed to take advantage of this security fault. I would still advise uninstalling VLC since there are better players out there, like PotPlayer.

5 years ago
Permalink

Comment has been collapsed.

Can you tell real and verifiable advantages of PotPlayer over VLC?

5 years ago
Permalink

Comment has been collapsed.

PotPlayer has a lot better interface, lot more options and some features that VLC doesn't have, better graphical quality (both live action and anime shows/movies look somewhat washed out in VLC when compared to PP). Some articles claim that PP uses less resources than VLC, but that's something I can't comment on as I haven't tested and compared that myself.

5 years ago
Permalink

Comment has been collapsed.

Sounds pretty subjective. But thanks for your opinion.

5 years ago
Permalink

Comment has been collapsed.

Well better interface is something that can be classified as subjective opinion. But having more options and features isn't subjective, albeit I guess not everyone sees that as a good thing since some people prefer to keep things simple and minimalistic. The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.

I would suggest giving PP a try and seeing for yourself. It's free and quick to download so you've got nothing to lose aside from some time.

5 years ago
Permalink

Comment has been collapsed.

The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.

Question is not "what people prefer", question is "which is correct". And that's a tricky question, because you will need some kind of reference. Best way to check will be to take some test image, make a video from this image, and compare playback of VLC and PotPlayer. The one that displays colors closer to reference image is better. This test will be objective, while "people preferred" is absolutely subjective.

5 years ago
Permalink

Comment has been collapsed.

No worries on my part. I don't use torrent's and I ONLY use my VLC to watch the odd DVD (yes I still have a DVD player in my pc) when I want to.

5 years ago
Permalink

Comment has been collapsed.

Chuckles Imagine having a DVD player on your pc in 2019. Slowly closes own DVD player

5 years ago
Permalink

Comment has been collapsed.

Well, I don't have a bluray player nor a console. And since my old dvd player broke I decided to actually get a player in my pc. Why let my collection go to waste when I can watch some here and there?

5 years ago
Permalink

Comment has been collapsed.

I gave up on physical media years ago

5 years ago
Permalink

Comment has been collapsed.

I gave up on physical reality years ago myself.

5 years ago
Permalink

Comment has been collapsed.

I had one on my old laptop. It bit the dust and I wasn't going to pay to get one built into this one, so I purchased a USB DVD drive which I use fairly regularly.

5 years ago
Permalink

Comment has been collapsed.

Pshh, DVD player? Real PC users have DVD burners!

Yeah, I can't remember the last time I actually burned a DVD...

5 years ago
Permalink

Comment has been collapsed.

I've burned multiple CDs in the last few weeks. 😎

5 years ago
Permalink

Comment has been collapsed.

To throw at people that get on your lawn?

5 years ago
Permalink

Comment has been collapsed.

Nah, I was burning a windows recovery disc, and something else (can't remember now, but as an offline backup).

5 years ago
Permalink

Comment has been collapsed.

Ah, I've started using USB keys for Windows disks.

5 years ago
Permalink

Comment has been collapsed.

Absolutely false and overblown by Gizmodo.

5 years ago
Permalink

Comment has been collapsed.

This.

5 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 5 years ago.

5 years ago
Permalink

Comment has been collapsed.

[Update 8:35 AM] Based on a tweet by VideoLAN, VLC may not be as vulnerable as it initially appeared. VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.

We have reached out to both companies for more info on what happened regarding the initial CVE, and will update the story if we hear back.

VideoLAN
@videolan

About the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.

5 years ago
Permalink

Comment has been collapsed.

Sooooooo… in the end, it was Gizmodo being Gizmodo and the article was more about the title than the content?

5 years ago
Permalink

Comment has been collapsed.

Thank you for the update!

5 years ago
Permalink

Comment has been collapsed.

Thank you for the update!

5 years ago
Permalink

Comment has been collapsed.

Shouldn't you update the title considering that it isn't an alarming issue, as it still suggests?

5 years ago
Permalink

Comment has been collapsed.

fixed, thanks

5 years ago
Permalink

Comment has been collapsed.

MKV

No worries, I don't play Mortal Kombat: Deadly Alliance ;)

5 years ago
Permalink

Comment has been collapsed.

LOL. I had not considered that; thanks for the laugh! 🤣

5 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 1 year ago.

5 years ago
Permalink

Comment has been collapsed.

This Twitter thread speaks volume for the consequences of trusting clickbait social media "news" networks, the effects of sharing the first source you see without verifying its accuracy, and the spread of misinformation through lack of research. This has been a problem for a long time, even worse in the social media age, but it gets worse when it happens with more vital info such as the one related to security, safety, and even integrity.

Hopefully VideoLAN recovers from the repercussions of this shit show.

5 years ago
Permalink

Comment has been collapsed.

Yes. I wholeheartedly agree with what you said, wish to again apologize for falling prey to it, and for perhaps alarming some of you. My intentions were honorable and above-board, but the results were a bit lacking.

5 years ago
Permalink

Comment has been collapsed.

Hey no worries - I blame the official/high profile social media/news/blog platforms for this kind of thing happening. You'd think you could trust some of those big accounts and websites, then they pull that stuff and we're proved wrong.

5 years ago
Permalink

Comment has been collapsed.

I appreciate that. :D

5 years ago
Permalink

Comment has been collapsed.

Just migrated from MPC to VLC, and then this article from Gizmodo appeared on my google discovery timeline. Reading through the article, and took a peek on comment discussion, oh well. Blocked gizmodo right away from my timeline.

5 years ago
Permalink

Comment has been collapsed.

I use MPC because of the keyboard shortcuts "Alt + <--" and "Ctrl + <--" allowing me to back up 5 or 20 seconds (depending on which combo I use; I forget exactly which one does which) in the video. VLC looks slightly sharper at times, and has the ability to boost the volume to 150% of the original, but when you push "pause", it tales several frames to pause, while MPC pauses immediately.

Both are nice, but I find myself preferring MPC over VLC. :D

5 years ago
Permalink

Comment has been collapsed.

I do agree about shortcut on VLC. It's not as snappy as it is on MPC. Especially on quitting the program shortcut (CTRL + Q or ALT+Q on MPC(?) I forgot) I can feel the slight delay. About jumping I could easily use Left/Right arrow without CTRL/ALT combo in VLC.

Anyway, I feel VLC is more lightweight than MPC. Also, there's no MPC on macOS (Yes, I use both mac and windows). Just want it to be unified. So... yeah

5 years ago
Permalink

Comment has been collapsed.

Deleted

This comment was deleted 5 years ago.

5 years ago
Permalink

Comment has been collapsed.

New article header:
"You Might Want to Uninstall VLC. Immediately. [Updated: Maybe Not]"

lol.

5 years ago
Permalink

Comment has been collapsed.

Read gizmodo. Knew it was going to be a clickbait article

But damn. It was an old problem fixed 16 months ago. And Gizmodo didn't even bother contacting videoLAN even once before creating that article? That's low, even for them. What about the 90 days warning to the company to fix vulnerabilities?

I hope VLC doesn't suffer too much.

5 years ago
Permalink

Comment has been collapsed.

Is there any reason to use VLC over other players like MPC-BE? It has a horrible UI and can't even do basic things like play/pause video when you click on the viewing window which annoys me greatly.

5 years ago
Permalink

Comment has been collapsed.

Sign in through Steam to add a comment.