VLC And Secunia Fighting Over Vulnerability Reports 100
benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)."
There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.
A slow decline (Score:0, Insightful)
The so-called 'security' firms have just been building a business model around some accidents of history - buffer overflow, sql injections, etc...
When all of these go away, slowly but surely, computer intrusion as we know it will cease to exist and 'hacking into computers' will be a thing of the past.
Re:You'd be surprised (Score:5, Insightful)
Learn.
It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.
Re:Yet another biased Slashdot story (Score:5, Insightful)
Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.
VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.
Re:Yet another biased Slashdot story (Score:3, Insightful)
Disrupt that playback, and you have denial of service, period.
Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.