14:33 CET on the 9th July 2013 Entry written by Secunia Research.
As a security company running a vulnerability database, our primary responsibility is to provide accurate information about vulnerabilities in various software and issue factual and neutral advisories. However, in this quest of ours we can encounter various difficulties, especially from vendors who are overprotective about their code and in denial about the vulnerabilities found in their software. They misinterpret our advisories as a misrepresentation of facts in order to make them look bad.
A recent legal threat was from VLC, regarding Secunia Advisory SA51464, which was issued for a use-after-free vulnerability in VLC. The vulnerability was publicly reported by a third party researcher Kaveh Ghaemmaghami on the Full-Disclosure mailing list in VLC version 2.0.4. The root cause of the vulnerability lies in the underlying FFmpeg library, which VLC statically links to. It was reported that the vulnerability was caused due to a buffer overflow issue when parsing SWF files, which was incorrect. Secunia Research performed additional research on the reported issue and correctly analysed it to be a use-after-free issue. When the VLC security team became aware of this vulnerability, they tried to fix the issue. However, they failed to understand the root cause and provided a patch which did not fix the core issue.
When the VLC team released version 2.0.5, which claimed to fix SA51464, Secunia Research contacted the VLC security team and informed them about the incorrect patch. However, VLC apparently disregarded our mail.
Later, another researcher independently contacted us via SVCRP (Secunia Vulnerability Coordination Reward Program) and reported a vulnerability in VLC version 2.0.5. When we analysed the vulnerability, it turned out to be the same use-after-free issue described in SA51464 - only the vector this time was via an AVI file rather than an SWF file. After completing our analysis we decided to contact the VLC team again with the new PoC in an effort to inform them about the core problem. Unexpectedly, the VLC team again disregarded the issue and claimed that the vulnerability was fixed. We found the response concerning, especially since two completely unrelated researchers had found the same vulnerability, which increases the chances of a malicious person exploiting this issue. We decided to give the VLC team time, expecting that they would re-visit the issue and provide a proper fix.
However, even after VLC version 2.0.6 had been released we noticed that the core problem remained unpatched. Various changes done in other parts of the code did make exploitation difficult, but the issue was still unpatched. On May 21st, 2013, the VLC team contacted us after office hours and threatened us with legal action if we did not update Secunia Advisory SA51464 and changed its patch status within 24 hours of sending the email. In the same email they also claimed that we were lying to our customers about the unpatched vulnerability. This was surprising, since we had repeatedly contacted the VLC team and tried to keep an open communication with them, as getting the vulnerability fixed would benefit the users of both VLC and Secunia.
The next day we re-visited the issue, however, we came up with the same result, that the use-after-free vulnerability did indeed exist in version 2.0.6. Crafting an exploit, as mentioned earlier, was a bit tricky, due to changes in other parts of the code. Exploitation required inducing and winning a small race condition between the release and use of memory. However, since we could not prove exploitation, we decided to change the status to “Patched”. We decided to give VLC the benefit of the doubt, until we had done additional research and had a better proof of exploitability.
We conducted further analysis after we updated our advisory and concluded that the issue is exploitable even in the newly released version 2.0.7. We have therefore updated our advisory and set the patch status of Secunia Advisory SA51464 to unpatched. Any future legal action from the VLC team will be dealt with accordingly.
While the curious case of the use-after-free vulnerability was going on, we received a new coordination report for a vulnerability in VLC version 2.0.6. The vulnerability is an integer overflow error when parsing MKV (Matroska) files. Exploiting the vulnerability is surprisingly straight forward and we reported the vulnerability to the VLC team on April 23rd, 2013. The VLC team acknowledged receiving the vulnerability report and stated that they would need more time to fix the vulnerability. As per our disclosure policy, the vendor was contacted after one month of the initial disclosure date as a part of our monthly status update cycle to get an update on the status of the fix. As a response, we expected the vendor to provide us with a timeline or a date on which a patch for the vulnerability would be released. However, the vendor responded stating that he didn’t know what vulnerability we where referring to, and that Secunia wasn’t collaborating with VLC, so why should they help us. VLC must clearly have misunderstood something here, as it is Secunia that is helping VLC by coordinating a vulnerability with them and even providing them with a reliable PoC. We tried to make this clear in our response to them, hoping that they would understand the issue. However, they replied that the issue is only a crash, which results in the application gracefully terminating. This was despite the fact that the vendor was provided with a PoC, which could reliably control the contents of the corrupted memory. We informed the VLC team that, as per our disclosure policy, if a vendor does not provide us with timely updates or is unwilling to fix the issue, then we would release our advisory to make the users aware of the risk so that they may protect themselves via other means e.g. not opening untrusted files or using other software until a patch for the vulnerability is available.
We're not sure if our communication wasn't clear enough, since VLC publicly claimed that we were threatening them about vulnerabilities. At no point did we digress from our disclosure policy, or threaten the vendor in any way, and were merely looking out for the safety of the users of VLC. The vendor further went on to state that they would block the installation of VLC if they detected an installation of Secunia's PSI, unless we would stop our lies. We consider this a confirmation that the vendor is unwilling to coordinate the vulnerability with Secunia and therefore we have decided to publish our advisory for the integer overflow error for the safety of the VLC user base. In order to be sure and not to leave a blind spot, we even tested the then nightly releases of VLC and noticed that while the issue was fixed in the nightly released of version 2.1.0, the nightly release of version 2.0.7 was affected. The latest stable version 2.0.7 is still affected by the issue and our advisory states this.
A lot can be said about these episodes and VLC. That VLC apparently doesn’t think vulnerabilities in third party libraries, for example FFmpeg (which is statically linked), are issues they would need to warn their users about, but only vulnerabilities in the “main” VLC code, is obviously not the right thing to do, and gives a false image on the security status of VLC.
Although we generally discourage having communication with vendors through blog posts and alike, sadly we see no way forward in coordinating vulnerabilities with VLC. Until we receive a reach out from VLC and see a noticeable change in attitude and behaviour, we will drop all kind of cooperation with VLC, and publish all future vulnerabilities found immediately.
Discuss this blog entry
A new thread in our forum is created. Activate the thread by
Score: -5 Posts: 1 User Since: 10th Jul 2013 System Score: N/A Location: UK Last edited on 10th Jul, 2013 22:20
After reading both your and VLC's blog post it is very clear that you are total liars. You are being very unclear about what you want from the VLC development team and they have evidence that shows they have done exactly as you asked. What are you doing attacking a perfectly secure open source project?
Post some of these POCs and maybe you would be more believable but the POC posted by VLC certainly seems to no longer work.
Score: 38 Posts: 139 User Since: 26th Nov 2008 System Score: 100% Location: US
As VLC is a freely downloadable media player, and free to use, it seems a bit odd for VLC not to acknowledge any and all efforts on Secunia's part to address any found or discovered new security vulnerabilities in a responsible and timely manner.
Ignoring a security issue will not make it go away.
I've used VLC in the past, and noted certain issues caused by running it on my system, beginning with version 2.0.4 and continuing with versions 2.05 and 2.0.6, and decided to uninstall it after struggling with these issues and do without.
I did not try version 2.0.7. Good thing I did not, as that too, is reported as being vulnerable.
The main issue was, for me, was getting certain built-in VLC codecs to run properly without crashing VLC and then it would also automatically disable by default the ability of Windows Media Player to take back WMP native codecs for itself.
Now I know why I was having these issues, thanks to Secunia.
Programs rated as vulnerable have no place on my systems.
-- XP Pro SP3 P4 3.2 HT 2 GB RAM Avast! 9.0.2018 AIS
Win 7 Home Pro SP1 Pentium D 2.8 3 GB RAM Avast 9.0.2018 AIS
Secunia PSI 188.8.131.5203 XP Pro 32-bit & Win 7 H Pro 64-bit
Score: 3 Posts: 66 User Since: 4th Feb 2011 System Score: N/A Location: DE Last edited on 15th Jul, 2013 17:34
I think VLC mediaplayer in principle is an excelent peace of software. Therefore it's realy a pity that the problems can be focused on e few guys at VideoLan. For myself I have made some very displeasing experiences with the head Jean-Baptiste Kempf. I'm convinced that he is good programmer. But I think he is missing some skills for beeing the president of VideoLan.
I don't know enough about what happend in the past between Secunia and VideoLan. And I don't understand why it is that unpossible to behave like it is normal in science. There exists a standart procedure to discuss about errors and hint's are welcome and nobody feels offended (mostly..) by hints.
But Jean-Baptiste Kempf behaves childish. Therefore it's good that there is the VLC developer TypX as you can read here: