VLC is one of the world's most popular video players, thanks in no small part to its free, open-source build.
Unfortunately, reports suggest that its open-source nature might have also made it vulnerable to hackers. A security flaw, discovered by German security agency CERT-Bund, means that hackers could gain access to your files via the media player.
Before deleting VLC, it might be worth hearing the video player's representatives out though: they say it's all "fake news."
An alleged 'critical' flaw
As Gizmodo reports, German security agency CERT-Bund discovered a very serious flaw (via WinFuture) in VLC (listed as CVE-2019-13615). The flaw was given a base vulnerability score of 9.8, which classifies it as “critical.” Gizmodo recommends deleting VLC "until the folks at the VideoLAN Project can patch the flaw."
The vulnerability allegedly allows for RCE (remote code execution). This type of flaw can allow hackers to install, modify, or run software on a users computer without authorization. It could also be used to find and look through a computer's files.
Gizmodo reports that the Windows, Linux, and Unix versions of VLC are all affected, but not the macOS version. If true, that is a huge amount of vulnerable users.
However, new reports suggest that is a big 'if.'
Fake cybersecurity news?
As per Lifehacker, the bug report for this issue has been open for four weeks, but VideoLAN president and lead VLC developer Jean-Baptiste Kempf has just recently left a series of comments suggesting the reports are "fake news."
Kempf made the following comments:
“This does not crash a normal release of VLC 188.8.131.52"
“If you land on this ticket through a news article claiming a critical flaw in VLC, I suggest you to read the above comment first and reconsider your (fake) news sources.”
“Sorry, but this bug is not reproducible and does not crash VLC at all.”
VideoLAN organization, the group behind VLC, also tweeted the following:
Hey @MITREcorp and @CVEnew , the fact that you NEVER ever contact us for VLC vulnerabilities for years before publishing is really not cool; but at least you could check your info or check yourself before sending 9.8 CVSS vulnerability publicly...— VideoLAN (@videolan) July 23, 2019
They claim that the issue was fixed 18 months ago and that VLC is not vulnerable.
About the "security issue" on #VLC : VLC is not vulnerable.— VideoLAN (@videolan) July 24, 2019
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
Updates are ongoing, but it seems that CERT-Bund might be in hot water if they truly published a fake security flaw. In the meantime, it's up to you who you believe. Keep your eyes on VLC's ChangeLog to see if any fixes related to the issue come up — or if it really is all just fake news.