It’s not unusual to hear reports of vulnerabilities in software both open source and closed. Those bugs are reported against software big and small alike but the more popular the program, the bigger the noise. When it comes of multimedia players, there’s probably no bigger program than VLC and now it’s at the center of a “he said, she said” kind of debate over a reported severe vulnerability.
VLC earned its fame for its ubiquity and universality. It could play almost any multimedia format known to the industry. It is also available on almost all operating systems, desktop or mobile, including Linux. So when a frightening vulnerability is reported against it, people stop and listen and worry.
The security exploit was reported by Germany’s national Computer Emergency Response Team (CERT-Bund) and paints a scary picture. Just with a specially formatted media file (using the MKV container) could do a range of things from crashing the media player to manipulating files on the victim’s computer. As of the moment, the bug has a Common Vulnerability Scoring System (CVSS) entry but no patch yet. Fortunately, there is also no known active exploit for it yet.
Part of that could be because there is no vulnerability at all, or at least that’s what VLC developer VideoLAN seems to be implying. It has not only downplayed the report as “fake news” but even claims there are no crashes at all.
At this point, it could be difficult for regular users to put faith in either camp who both have vested interests in proving their point. Even users who have tried out the supposed exploit have gotten inconsistent results. While it might be too early to jump ship, VLC users might want to take caution in the files the play, especially if acquired from suspicious sources on the Internet.