This week has been a bit of a roller-coaster for VLC, a few days ago the popular media player was put on blast by security researchers for having a long-standing vulnerability. This news swiftly began making the rounds, prompting VLC to issue its own statement claiming that the researchers got their facts wrong and were testing a very old version of the software.
MITRECorp initially gave the VLC vulnerability a 9.8 rating, making it fairly severe. VLC claims that the person who reported the vulnerability was using an old version of Ubuntu with outdated libraries, the security bug was fixed almost 16 months ago in VLC version 3.0.3, making this recent report invalid.
VLC has put the MITREcorp on blast on Twitter, stating that MITRE issued a CVE security notice without getting in touch with VLC for verification, which would be in violation of the group's own policies. VLC also claims that this is not the first time that this has happened, with security issues being made public before attempting to resolve the issue privately- an important step when it comes to cyber security issues.
MITRE has since downgraded the CVE-2019-13615 bug from a 9.8 rating to a 5.5, adding that it is “awaiting reanalysis that may result in further changes to the information provided”.
KitGuru Says: There were some headlines earlier this week telling people to outright uninstall VLC but it appears that a lot of fuss has been kicked up over nothing in this case. As always, if you want to remain secure, then it is best to update your software regularly.