Yeah, these days it's easy to avoid malicious stuff since most sites have trusted sources either marked or in some categories you'll just have popular names, like ETTV/EZTV for TV and TV movie stuff.
Though, regardless, caution should always be taken.
Comment has been collapsed.
Why would anyone want to install a codec pack in 2019? Almost every single popular media player beyond MPC has a full codec integration in them. Furthermore, why add dozens to hundreds of different codecs when you can add only LAV which plays literally everything?
By the way, apparently it is a Matroska demux issue, so you'd have to run a malicious MKV file to trigger it.
Comment has been collapsed.
1) Because many old games use video codecs that no modern version of windows natively comes with. The easy solution is to install a codec pack (only 50 or so MB) and now the game runs. I have personal experience of this.
2) Thank you for the information.
Comment has been collapsed.
Old games use either QuickTime or one of the RAD formats. (Or Indeo, but Windows natively supports it since like forever.) If it is QuickTime, many semi-maintained games had the videos converted (most GOG games did), or you should run them in a sandbox/VM as the Windows Quicktime support ended ages ago and Apple said they do not give a fuck about fixing the glaring security holes that were found in the Win edition. The one in K-Lite has the same issue.
As for RAD, LAV supports it for years.
Comment has been collapsed.
some of the indeo codecs were not included (in a usable fashion) in win 7; maybe they have been restored in later versions. Civ 2's videos would not play in-game without this codec pack. IIRC, AoE2 had the same issues, as did one or two other of our CD-based games from my childhood. However, thank you for the info!
Comment has been collapsed.
K-Lite Codec Pack does not install nor use Quicktime, it relies on LAV filters to play most video formats.
You would only need to install Quicktime if you want to author and create MOV files. But these days MP4 and MKV are pretty much the standard containers.
Comment has been collapsed.
I wouldn't call it bloatware. K-Lite is a convenient collection of up-to-date components including DirectShow filters (LAV filters, DirectVobSub, madVR), a video player (MPC-HC) as well as related tools (like MediaInfo and Icaros for thumbnails in explorer).
It comes in several variants, where the larger ones including more codecs depending on your needs (like ffdshow, XViD, and x264 if you need encoding videos). You can read more on their website codecguide dot com.
Comment has been collapsed.
This gizmodo article is beyond stupid!
To be affected, you would have to download and play a specially crafted MKV file created specifically to take advantage of this bug... You won't get "hacked" as the article implies just by having VLC installed :(
Comment has been collapsed.
thanks for this, Micro.
also:
"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"
and from comments:
"the bug only affects opening MKV files. If you don’t download MKV video files from the Internet (torrents), then you are extremely unlikely to encounter a malicious file"
it seems lil' clickbait, but still.
from this one:
For anyone reading, please refer to the actual ticket where one of the lead developers on VLC claims that as of VLC 3.0.7.1 (and likely earlier)
the bug is not reproducible and does not crash:
https://trac.videolan.org/vlc/ticket/22474#comment:3
Comment has been collapsed.
Thank you for the info!
It was not my intention to be clickbait-y (I hope the updated title thread reflects this); I was trying to be helpful and merely going off the information which I had at the time. From what I had read, nothing was stated as to how this bug was tripped (and thus how one could avoid doing so), only that "there is this major hole which could be used somehow, so avoid having bad eggs use it by uninstalling the program now."
Also, that means that I--maybe--didn't have to uninstall my old version of VLC. 😳
Comment has been collapsed.
I was trying to be helpful
c'mon, say the truth... where do you hide your Monthly referral? :D
you've been helpful, Micro.
"clickbait" was for gizmodo, cause those are "profitable clicks" (and, at same time, "shit" on VLC).
my copy of VLC is here, calmly waiting fo' da patch! :P
Comment has been collapsed.
"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"
I don't get why some people say that 60% is "only 60%". A major flaw was found and in such a short span more than 60% was done. I'd say that's pretty quick.
Regardless, these issues will inevitably happen, so it is what it is. The faster the better. But the VLAN guys didn't leave the mistake in maliciously. Free software will never be perfect. This is as perfect as anything can really get.
Thanks for the info btw :D
Comment has been collapsed.
Hmm? There is no problem if you are using in an environment where you do not play the "external media" carelessly.
However, in environments where there is a possibility of playing "external media", it may be necessary to temporarily take measures such as uninstalling.
(It is not good if the media player that plays with priority is VLC.)
There is no problem as long as you don't play "poisoned".
And when new versions come out, be sure to update.
Comment has been collapsed.
VideoLAN: "About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did https://twitter.com/videolan/status/1153963312981389312
I saw it and tried to post
Other people have already written. XD
BUMP to catch eyes
Comment has been collapsed.
Comment has been collapsed.
Like several people said there is no reason to uninstall VLC due to this because the only way to get "hacked" is to download specially crafted file designed to take advantage of this security fault. I would still advise uninstalling VLC since there are better players out there, like PotPlayer.
Comment has been collapsed.
Can you tell real and verifiable advantages of PotPlayer over VLC?
Comment has been collapsed.
PotPlayer has a lot better interface, lot more options and some features that VLC doesn't have, better graphical quality (both live action and anime shows/movies look somewhat washed out in VLC when compared to PP). Some articles claim that PP uses less resources than VLC, but that's something I can't comment on as I haven't tested and compared that myself.
Comment has been collapsed.
Sounds pretty subjective. But thanks for your opinion.
Comment has been collapsed.
Well better interface is something that can be classified as subjective opinion. But having more options and features isn't subjective, albeit I guess not everyone sees that as a good thing since some people prefer to keep things simple and minimalistic. The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.
I would suggest giving PP a try and seeing for yourself. It's free and quick to download so you've got nothing to lose aside from some time.
Comment has been collapsed.
The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.
Question is not "what people prefer", question is "which is correct". And that's a tricky question, because you will need some kind of reference. Best way to check will be to take some test image, make a video from this image, and compare playback of VLC and PotPlayer. The one that displays colors closer to reference image is better. This test will be objective, while "people preferred" is absolutely subjective.
Comment has been collapsed.
No worries on my part. I don't use torrent's and I ONLY use my VLC to watch the odd DVD (yes I still have a DVD player in my pc) when I want to.
Comment has been collapsed.
Well, I don't have a bluray player nor a console. And since my old dvd player broke I decided to actually get a player in my pc. Why let my collection go to waste when I can watch some here and there?
Comment has been collapsed.
[Update 8:35 AM] Based on a tweet by VideoLAN, VLC may not be as vulnerable as it initially appeared. VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.
We have reached out to both companies for more info on what happened regarding the initial CVE, and will update the story if we hear back.
VideoLAN
@videolanAbout the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
Comment has been collapsed.
Comment has been collapsed.
MKV
No worries, I don't play Mortal Kombat: Deadly Alliance ;)
Comment has been collapsed.
This Twitter thread speaks volume for the consequences of trusting clickbait social media "news" networks, the effects of sharing the first source you see without verifying its accuracy, and the spread of misinformation through lack of research. This has been a problem for a long time, even worse in the social media age, but it gets worse when it happens with more vital info such as the one related to security, safety, and even integrity.
Hopefully VideoLAN recovers from the repercussions of this shit show.
Comment has been collapsed.
Hey no worries - I blame the official/high profile social media/news/blog platforms for this kind of thing happening. You'd think you could trust some of those big accounts and websites, then they pull that stuff and we're proved wrong.
Comment has been collapsed.
I use MPC because of the keyboard shortcuts "Alt + <--" and "Ctrl + <--" allowing me to back up 5 or 20 seconds (depending on which combo I use; I forget exactly which one does which) in the video. VLC looks slightly sharper at times, and has the ability to boost the volume to 150% of the original, but when you push "pause", it tales several frames to pause, while MPC pauses immediately.
Both are nice, but I find myself preferring MPC over VLC. :D
Comment has been collapsed.
I do agree about shortcut on VLC. It's not as snappy as it is on MPC. Especially on quitting the program shortcut (CTRL + Q or ALT+Q on MPC(?) I forgot) I can feel the slight delay. About jumping I could easily use Left/Right arrow without CTRL/ALT combo in VLC.
Anyway, I feel VLC is more lightweight than MPC. Also, there's no MPC on macOS (Yes, I use both mac and windows). Just want it to be unified. So... yeah
Comment has been collapsed.
Read gizmodo. Knew it was going to be a clickbait article
But damn. It was an old problem fixed 16 months ago. And Gizmodo didn't even bother contacting videoLAN even once before creating that article? That's low, even for them. What about the 90 days warning to the company to fix vulnerabilities?
I hope VLC doesn't suffer too much.
Comment has been collapsed.
15 Comments - Last post 4 minutes ago by Kyog
38 Comments - Last post 4 minutes ago by kapitsho
72 Comments - Last post 8 minutes ago by Whoosh
67 Comments - Last post 10 minutes ago by smokekills
332 Comments - Last post 11 minutes ago by Zepy
65 Comments - Last post 14 minutes ago by acolis
1,020 Comments - Last post 1 hour ago by sensualshakti
865 Comments - Last post 2 minutes ago by MayoSlice
20 Comments - Last post 3 minutes ago by Kyog
74 Comments - Last post 14 minutes ago by scorkla
88 Comments - Last post 25 minutes ago by akfas
89 Comments - Last post 34 minutes ago by steveywonder75
9 Comments - Last post 54 minutes ago by caroltopia
153 Comments - Last post 1 hour ago by VinD3
First of all, read this https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101
If you wish, you can read an article which is based on the first one, but is different and newer: https://www.pcgamer.com/vlc-media-player-has-a-critical-security-flaw/
I strongly recommend the K-Lite Codec Pack (Mega Edition, because why not) and the associated Media Player Classic - Home Cinema
https://www.codecguide.com/download_k-lite_codec_pack_mega.htm
TL,DR: VLC has a MAJOR, as-of-yet unpatched security flaw allowing RCE (hackers) onto your PC, Unix or Linux computer. HOWEVER, you have to do a lot of stuff in order to make this exploit be anywhere close to an issue for you. Use caution in downloading stuff.
The security flaw allows for remote code execution (RCE), which gives hackers total access to your computer to install, run, and modify anything on it without your knowledge. Additionally, hackers can exploit the issue to cause denial-of-service attacks, which is a common function of certain malware. CERT-Bund has given this a base vulnerability score of 9.8 out of 10.
PS:Comments have stated this to not be as much of an issue as the two articles say, if caution is used and malicious .mkv files are avoided. Sorry for the overstatement at first; I was reporting based off of what I knew at the time.
PPS: It seems that the gizmodo article was nothing more than clickbait, or relied on someone with an older version of VLC downloading (and playing in VLC) a malicious .mkv file
(what even are these? has anyone used these in the last 5 years? I kid, I kid. 😎). I apologize for blowing this out of proportion, and yet I, in all good faith, reported here on what I knew at the time.Thank you to those users who have supplied further information to me about this issue. I truly appreciate all of you. I'll do my best to not get scared into posting a "PSA: bug report" in the future.
https://twitter.com/videolan/status/1153963312981389312 (and associated thread):
About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
TL;DR #2: Gizmodo reported on what is a non-issue for most users and scared a lot of people thereby.
Update VLC to the latest version (it probably would be a not-bad idea to upgrade your non-VLC players to the latest versions of those); continue to apply VLC (etc) updates as they release; if you use Ubuntu (read this thread, please), to be fully on the safe side, update the libebml library and see if you need to manually remove the old version (if such a thing is possible, I don't know as I don't use linux); remember to always scan your downloads before opening them; and you should be good.
Comment has been collapsed.