VLC as a major security risk \ stacker news ~security

pull down to refresh

576 sats \ 9 comments \ @StillStackinAfterAllTheseYears 14 Jan security

For years, I've taken it as gospel that VLC was the open source media choice (and taken it to every platform I've used), but after reading these tweets, I'm less certain. That last tweet, in particular, reminds me of the issue we all recognize around using "crypto" wallets instead of dedicated Bitcoin wallets -- why offer up extra attack vectors via things we're not even using?

Going to be taking a deep dive looking into MPV today.

view all related items

219 sats \ 1 reply \ @elvismercury 14 Jan

Would appreciate explicit alternatives. I'm not getting my family to use an ffmpeg wrapper from the command line.

81 sats \ 0 replies \ @StillStackinAfterAllTheseYears OP 14 Jan

MPV (the app she mentions) does have downloadable executables that I'm playing with right now. They seem to do the trick, but it's much more bare-boned. Will be going down the rabbit-hole deeper later this week, though.

0 sats \ 0 replies \ @LowK3y19 14 Jan

My phone won’t load the tweets ahhhhhh

0 sats \ 1 reply \ @tomlaies 14 Jan

Disagree

Code execution through subtitles is bad. But is being/will be fixed.

If you have compromised files that's on you. Skill issue.

The far greater threat is the fast growing amount of codecs and file formats that have to be supported on a huge number of platforms. In a landscape that is only a few decades old. If you want longevity of your data you have to embrace the big dogs of FOSS. There is no way around it.

0 sats \ 0 replies \ @ZezzebbulTheMysterious 15 Jan

I agree with Laurie here. The VLC codebase is a mess. The RCE from subtitles is merely a symptom. Yes, all code has bugs. Some code is buggier than others. The surface area of all those codecs and file parsers really adds up. The fact it was an example of “easy to find vulns” in the past is also telling.

If you look at 0-click exploits for mobile in the last few years, the almost certainly relate to file or content parsing. It’s going to continue to be a thing as long as there is untrusted data being parsed in unsafe languages.

Skill issue! Blame the victim. Oh my. If only it was that simple.

0 sats \ 0 replies \ @itsMoro 14 Jan

ahh...sheit

0 sats \ 2 replies \ @nitter 14 Jan bot

https://xcancel.com/lauriewired/status/1877786401045098947

0 sats \ 1 reply \ @random_ 14 Jan

@ek would it be possible to include a snapshot here in case the tweet gets deleted?

0 sats \ 0 replies \ @ek 15 Jan

oof