Recently a number of articles were published alerting VLC users about a new zero day. The remote code execution this zero day takes advantage of does sound rather scary and users should definitely be made aware of the issue. Yet there’s a difference between sensible and sensational reporting.
For example some news sources exclaimed:
“A patch does not yet exist for a critical buffer overflow vulnerability in VLC Media Player that could enable remote code execution.” -Lindsey O’Donnell,“VLC Media Player Plagued By Unpatched Critical RCE Flaw,” ThreatPost, July 23, 2019.
“You Might Want to Uninstall VLC. Immediately.” -Sam Rutherford, “You Might Want to Uninstall VLC. Immediately,” Gizmodo, July 23, 2019.
The VLC team took to Twitter to clear the air: the security researchers had very old, unpatched operating systems and the bug they discovered was actually fixed over a year ago. Furthermore, the bug was a non-exploitable overflow that requires user input. The actual risk of exploitation was low. What’s most concerning about the bug’s discovery is:
The security researchers never communicated with the VLC team about it.
CERT-Bund never communicated with the VLC team about it.
NIST never communicated with the VLC team about it.
No news agency ever communicated with the VLC team about it.
Why was there such a major failure in communication by all of these teams?
A hint exists on CVE’s (Common Vulnerabilites and Exposures) Twitter feed. You’ll notice they post new CVEs frequently - many every hour. They would need a very large team to verify the accuracy of all of these claims. NIST and Certbund have the same function as CVE and are restricted by the same limitations. Unfortunately the onus is on security researchers to properly vet their discoveries and follow the proper process when disclosing them and on the media to properly verify these stories to avoid perpetuating false accusations.
Fortunately both ThreatPost and Gizmodo updated their articles to include the critical context surrounding this discovery that was initially missing from their original sensational headlines.