When vulnerability disclosure goes wrong

4 weeks ago saw the report of a new critical vulnerability in the widely used VideoLAN VLC Media Player. At the time no fix was available.

Earlier today; key developers from VideoLAN analysed the bug report and found that the exploit simply causes a memory leak which does not always crash the player. At no time was this behaviour exploitable by an attacker; it was simply a non-security code issue.

After further analysis it was determined the issue lay within a 3rd party library, libebml. Version 1.3.6 resolves the issue reported and was shipped with VLC version 3.0.3 (in May 2018). The release notes from that time state “Numerous 3rd party libraries updated, fixing security issues”

The above bug report was interesting since numerous technology news websites and even CERTs had incorrectly warned of the vulnerability and that a fix was 60% complete (unknown how that figure was obtained).

It demonstrates how quickly the report of an issue can spread long before anyone has worked on it and verified its legitimacy. After analysis by key VLC developers; there wasn’t an issue at all in updated versions of VLC.

This is really unfair to VideoLAN. They received a lot of negative press for an issue that wasn’t their fault. The truth of the matter is; nobody checked the claims of the person disclosing it before going to the media and the original reporter of the vulnerability disclosed it on a public forum rather than a private disclosure to VideoLAN.

Today demonstrates how NOT to disclose a vulnerability.

Please find the link to the bug report below and the full details provided by VideoLAN on their Twitter account as well further background information:

https://trac.videolan.org/vlc/ticket/22474

https://twitter.com/videolan/status/1153963312981389312

https://portswigger.net/daily-swig/vlc-developer-debunks-reports-of-critical-security-issue-in-open-source-media-player

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.