Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

VLC And Secunia Fighting Over Vulnerability Reports

Unknown Lamer posted about a year ago | from the fight-fight-fight dept.

Bug 100

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

Sorry! There are no comments related to the filter you selected.

Happy Wednesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44239211)

Thank you for being a friend
Traveled down the road and back again
Your heart is true, you're a pal and a cosmonaut.

And if you threw a party
Invited everyone you knew
You would see the biggest gift would be from me
And the card attached would say, thank you for being a friend.

Re:Happy Wednesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44239357)

you fucking asshole.

It's "confidant" not "cosmonaut."

What an asshole.

Orson Scott Card likes the dirty sanchez.

Re:Happy Wednesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44239513)

Why the hostility?

Bea Arthur looks a lot like Brezhnev, so it's an easy mistake to make.

Re:Happy Wednesday from The Golden Girls! (-1)

Anonymous Coward | about a year ago | (#44240747)

yhbt yhl hand

Enders Game blows (-1)

Anonymous Coward | about a year ago | (#44239257)

I'm a faggot. Suck my dic Orson Scott Card!!!

Re:Enders Game blows (-1)

Anonymous Coward | about a year ago | (#44239637)

fucking fag you are. go eat shit, fag.

Re:Enders Game blows (-1)

Anonymous Coward | about a year ago | (#44239683)

Sup Orson. Become a Slashdot poster?

... citation? (0)

Anonymous Coward | about a year ago | (#44239307)

despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

", said so-and-so.

See how that is done?

Re:... citation? (5, Interesting)

dgatwood (11270) | about a year ago | (#44240329)

No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

  • If the exception itself causes some secret information to be leaked to a log file somewhere. This does not apply because the content being played is owned by the computer's owner, who also owns the log files.
  • If the exception causes some component to get freed and you end up with a use-after-free situation (or it causes some process to die and some other process fails to handle that death in a safe manner). Presumably VLC is designed to handle codecs going away, but if not, then that is the exploitable vulnerability, not the exception itself.

Re:... citation? (1)

gandhi_2 (1108023) | about a year ago | (#44241355)

From a journalistic standpoint, that last sentance DOES need a citation. It stands out even worse because the other statements are well cited.

Re:... citation? (0)

Anonymous Coward | about a year ago | (#44241833)

No citation needed. AFAIK, there are no known vectors for exploiting an uncaught exception, with two exceptions:

I'm fairly sure what's happening is that in a 32-bit build it's an integer overflow, whereas in a 64-bit build it doesn't overflow and "just" tries to allocate an unreasonable amount of memory, which throws the exception. (From the blog post, "This uncaught exception makes VLC abort, not execute random code, on my Linux 64bits machine.") So the exception itself isn't exploitable, but under some circumstances something different and exploitable happens instead.

Re:... citation? (1)

dgatwood (11270) | about a year ago | (#44243251)

If that's what's happening, then yes, that sort of bug is almost always exploitable.

Re:... citation? (1)

dgatwood (11270) | about a year ago | (#44244979)

With that said, the exception is not the security hole; the integer overflow is.

Re:... citation? (3, Informative)

hairyfeet (841228) | about a year ago | (#44243909)

Well I'm not a security expert so I can't comment on that, but what I DO have is a shitload of PCs at the shop and I can say that the VLC guy is right, I just tested the Securina "Proof Of Concept" SWF and it don't do shit under VLC. If any Securina fans are here it shows an image, the QT logo, and that's it.

I tried it on 32bit and 64bit win 7 and even the old XP box in the corner and he's right, first of all VLC won't even open it by default, won't show up in either open with nor any right click menus for that format, so you have to fire up VLC and THEN switch away from media files to all files to even see the thing in VLC and as I said when run? Nothing, hell it didn't even make VLC hang or crash.

So I'm sorry Securina but if that is your "proof" I gotta throw a flag, bullshit on the field. I haven't got any real old versions of VLC to check what it does on old versions but since VLC has had an updater in place for a couple of years now I can say that I just don't run into anybody running old versions of VLC in the wild so i don't consider that a test worth running.

Re:... citation? (0)

Anonymous Coward | about a year ago | (#44244081)

Is there any reason for you to constantly misspell Secunia?

Re:... citation? (0)

Anonymous Coward | about a year ago | (#44246727)

Or maybe he thought it was Securina that and that he made no mistake at all you idiot.

Re:... citation? (1)

metrix007 (200091) | about a year ago | (#44246285)

Maybe it doesn't work with DEP or ALSR, did you disable them?

Re:... citation? (2)

hairyfeet (841228) | about a year ago | (#44247431)

I figured the old XP box would cover that, its a socket 754 Sempron so there isn't any DEP or ALSR and again, nothing. I also tried it on a 32Bit Conroe Celeron and after reading your post switched off DEP and ASLR and again,nothing.

Again maybe it did something on some old version which I would consider valid...if it didn't have an updater, but it does and since it updates itself and is free I don't really consider what it did in some old version a valid test. after all if they have no Internet so it can't update the odds they are gonna run into a SWF malware file is pretty much non existent,it'd be like saying a PC that is airgapped is in danger of viruses. This is why i don't bother with tests for malware that require Windows to never be updated because the only ones I see running around with WU turned off are the pirates and if they are smart enough to pirate Windows they ought to be smart enough to update the damned thing without getting bit by WGA.

As for the AC that wet his panties over how I wrote Secunia? I thought it was Securina, as in Security? Certainly makes more damned sense than what its really called, WTF is a Secunia anyway? If they are just gonna pick a name out of a hat I vote for Petunia, there really ain't enough Petunias in the world.

Re:... citation? (1)

hairyfeet (841228) | about a year ago | (#44243707)

Not to mention as a guy that gives VLC out to Joe and Jane average I can tell ya VLC is used for local content on a local computer which as you said is all controlled by the one running the video, despite the LAN part of the title nobody I've seen have ever used it for anything but local content. Also I'm at work so can't check ATM but doesn't VLC run in lower rights than the user? i know I've never seen a UAC prompt to use VLC and it has to pop up a UAC to check for updates so if its running in low or limited permissions the best they can do is crash the player.

In any case i can say i honestly don't care what Securina says, VLC has been one of the most problem free players i have ever encountered in the many many years I've been working in retail, VLC and KLite are my to "go to" when it comes to media on a new install and if the VLC guys say its bullshit I'll give them the benefit of the doubt simply because of how damned solid they have made their player. i have put in content with funky obscure codecs that hasn't been supported by anybody in ages, VLC fired right up and played it without a glitch nor a skip, that means a lot in my position.

So if any of the VLC devs are reading this there is at least one shop owner that will trust you if you say its bogus, your player has been so solid i even keep it on my service call thumbdrive so its always there if I need it. Great job guys, truly excellent work.

Re:... citation? (1)

metrix007 (200091) | about a year ago | (#44246295)

It doesn't run at lower rights than the user, it runs at the same rights as the user. When it needs more rights, that's why you see the UAC prompt.

Re:... citation? (1)

hairyfeet (841228) | about a year ago | (#44247467)

But users are run in limited (but not low,which is even more restricted) mode unless they agree to an elevated through a prompt so again I don't see this as a problem, and of the boxes at the shop I tried it on both an old Sempron XP box without DEP or ASLR, a Win 7 32bit Conroe Celeron with both ASLR and DEP on and off, and finally my 64bit home box with ASLR and DEP on...nothing. Their PoC didn't do squat, no crashes, no hangs, nothing.

So unless they can bring something better than a PoC that I can't get to do shit I'm gonna have to side with the VLC guys. I mean on ALL the systems i tried except for my 64bit home system they don't even have AV installed yet so if it was gonna do anything at all? i gave it the perfect platform.

Not invented here (0, Interesting)

Anonymous Coward | about a year ago | (#44239353)

C'mon Secunia, security isn't about bickering. You don't just throw proof-of-concept at someone and say "FIX IT FIX IT FIX IT" without buying them dinner first.

You'd be surprised (0, Funny)

Anonymous Coward | about a year ago | (#44239363)

What kind of things are exploitable. If the above involves a SEH chain to be invoked on windows it can be exploited.

Re:You'd be surprised (1)

Anonymous Coward | about a year ago | (#44239443)

Exceptions aren't exploitable, it's the buffer overflow that lets you write onto the exception chain that is exploitable.

Re:You'd be surprised (4, Insightful)

fnj (64210) | about a year ago | (#44239595)

What kind of things are exploitable.

Learn.

If the above involves a SEH chain to be invoked on windows it can be exploited.

It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.

Re:You'd be surprised (0)

Anonymous Coward | about a year ago | (#44240939)

I know of at least two C++ compilers that use SEH to implement C++ exceptions.
I also know one that doesn't and that essentially means that when I need to pass exceptions between my code and third-party components, I cannot use that compiler.

Re:You'd be surprised (0)

Anonymous Coward | about a year ago | (#44241171)

I know of at least two C++ compilers that use SEH to implement C++ exceptions.

Is the OP is correct about "If the above involves a SEH chain to be invoked on windows it can be exploited"? Because if he is, then surely that means that any exception at all, even something as benign as "the user entered an invalid date", can be a security hole when compiled by one of those compilers?

Re:You'd be surprised (0)

Anonymous Coward | about a year ago | (#44248203)

I know of at least two C++ compilers that use SEH to implement C++ exceptions.

Is the OP is correct about "If the above involves a SEH chain to be invoked on windows it can be exploited"? Because if he is, then surely that means that any exception at all, even something as benign as "the user entered an invalid date", can be a security hole when compiled by one of those compilers?

No.
You can exploit SEH by combining it with a buffer overflow vulnerability [SEH has a stack allocated data structure containing code jump pointers, spill the buffer and override the target address so that an exception will jump into your shellcode when searching for catch clauses] but the mechanism itself is simply inefficient and shit, not vulnerable.

Re:You'd be surprised (0)

Anonymous Coward | about a year ago | (#44247477)

What kind of things are exploitable.

Learn.

If the above involves a SEH chain to be invoked on windows it can be exploited.

It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.

Utter rubbish. Read John Robbins books, and Mark Russinovichs. Ultimately at the lowest level, on Windows ALL exception types are implemented as Win32 structured exceptions...

Re:You'd be surprised (0)

Anonymous Coward | about a year ago | (#44248283)

It doesn't. C++ exceptions have exactly NOTHING to do with Win32 structured exceptions.

Utter rubbish. Read John Robbins books, and Mark Russinovichs. Ultimately at the lowest level, on Windows ALL exception types are implemented as Win32 structured exceptions...

The implementation of exceptions in C++ and other programming languages is chosen by the authors of the compiler/interpreter, not John Robbins and Mark Russinovich.

Yet another biased Slashdot story (1, Troll)

Sarten-X (1102295) | about a year ago | (#44239403)

despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

That depends entirely on what "exploit" means. If VLC is a core part of a media service, calling anything named "terminate" sounds like a recipe for a simple DoS. I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display), but it could easily be the magic under a layer of consultants' bills.

The easy assumption is that any time a program does something that wouldn't be expected, it's exploitable to cause some kind of annoyance. Whether that alone is enough to warrant a fix is a different matter.

Re:Yet another biased Slashdot story (1)

slashmydots (2189826) | about a year ago | (#44239613)

How is making VLC close a DoS? Just re-open it and don't play the rigged file again.

Re:Yet another biased Slashdot story (2)

Sarten-X (1102295) | about a year ago | (#44239761)

Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

More examples I can think of offhand:

  • Theatre sound effects
  • Streaming media servers
  • Internet radio
  • Public information displays
  • Conference and sales presentations

I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

Re:Yet another biased Slashdot story (3, Insightful)

Anonymous Coward | about a year ago | (#44240041)

Disrupt that playback, and you have denial of service, period.

Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44244467)

Except if you control the data stream going to VLC you can do far more than disrupt the service. No exploit is needed.

Sometimes I with I had an account to upvote comments like this to the top. Then again I see a bunch of idiotic comments and am glad I don't.

Re:Yet another biased Slashdot story (1)

gl4ss (559668) | about a year ago | (#44240411)

Imagine a situation where audio or video playback is considered a service, like the given example of a Times Square ad display. Disrupt that playback, and you have denial of service, period.

More examples I can think of offhand:

  • Theatre sound effects
  • Streaming media servers
  • Internet radio
  • Public information displays
  • Conference and sales presentations

I'm not saying it's necessarily an important service that's disrupted, or that the fix will take a long time, but it's still a DoS.

if you can insert data into the datastream that is streaming into the video decoder .. umm.. then who the fuck cares you can "dos" it by making the decoder crash? you could dos it multiple ways then, like changing the stream to 10000000x10000000 pixel stream of white or whatever.

if you could run code through it then it would be pretty serious, obviously, but a videostream that crashes it is literally last decades stuff.

Re:Yet another biased Slashdot story (1)

F.Ultra (1673484) | about a year ago | (#44240837)

Becasue if you can make it crash then something else might happen, for example the admin might reach out to it via some remote access method or go there physically which might help you in whatever you are doing.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44240925)

Or the admin might pee his pants and then on the way to the pants shop to buy more pants get hit by a bus and die.

THIS IS SERIOUS PEOPLE!!!!!11sqrt(1)

Re:Yet another biased Slashdot story (4, Informative)

Sarten-X (1102295) | about a year ago | (#44241899)

You jest, but that's a decent example. It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.

One of my personal favorite exploits involved using a core dump to drop a file into cron.d. The kernel, being ever so helpful, would put the dump into whatever working directory the crashing program was running in. Cron, being ever so helpful, would run all the files in cron.d, and being ever so helpful, would ignore all the badly-malformed data in those files. Put them together, and suddenly any user who can run a program can schedule commands to be run as root.

As your example shows with ample hyperbole, even a clean termination may be part of a larger plan. Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether... what matters is that all such attack vectors can be blocked by fixing this unexpected behavior.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44244529)

...It's a hostile world, and every little thing, no matter how trivial, can be used against you, in unexpected ways. If you're aiming to kill a sysadmin, perhaps VLC is just the right tool for the job. Perhaps the bus hit was planned, and the attacker just needed a way to get the admin out in the open.....Perhaps VLC terminating triggers a watchdog that is differently-exploitable. Perhaps VLC is interfering with another exploit the attacker wants to use. Perhaps something else altogether...

Perhaps you're an idiot and should shut up. VLC is a free open player, and Secunia is a PoS company trying to discredit the software. I'm going to list you as a security vulnerability because you crash when I give you input of a bullet to the head.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44245355)

Do you have citations for this cron-d exploit, because I think you're slinging lies over here.

Re:Yet another biased Slashdot story (2)

sjames (1099) | about a year ago | (#44240613)

On the other hand, you handed it a bogus video to play. The best it can do is pop up an error message and/or skip it. There is already some degree of disruption inherent in the situation.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44239911)

What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.

Re:Yet another biased Slashdot story (1)

gl4ss (559668) | about a year ago | (#44240461)

What does VLC do? Play movies/music. What does forcing VLC to close do? Prevent it from playing movies/music. Hence, it is no longer functional to provide its service. That you can very likely restart it doesn't change things.

actually if you can choose which file/data it tries to decode then you can disrupt the original intended viewing. but there is actually no need for a crash exploit in it then. you could just make it show goatse all day.

Re:Yet another biased Slashdot story (1)

hairyfeet (841228) | about a year ago | (#44244037)

Except that when i just ran the PoC it didn't crash,hang, throw an exception or do anything else, so i think this entire line of conversation is kinda moot. Then you have to add in the fact that to even get this to play you are gonna have to do things that Joe and jane average aren't even gonna think of, such as bypass the default Windows Open and Open With dialog boxes, fire up VLC, switch VLC from media to "any files" and then and ONLY then go to whatever directory its sitting in and run it.

Working for normal folks 6 days a week i can tell you the odds of all that occurring are about the same as me growing wings out my behind and flying north for cooler temps. Most folks will just "clicky clicky" which on the machines at the shop fires up MP Classic which just sits there, no crashes either. for a PoC its pretty damned weak, so far I've tried 3 different players and haven't got it to even crash anything. Hell I even tried opening it in IE, figuring if anything would crap itself it'd be good old Internet Exploiter but nope, didn't do shit...lame.

Re:Yet another biased Slashdot story (2)

gandhi_2 (1108023) | about a year ago | (#44241395)

Yes, but for MISSION CRITICAL .mkv playback, VLC just isn't an option.

Like, say... porn.

Re:Yet another biased Slashdot story (5, Insightful)

Anonymous Coward | about a year ago | (#44239671)

Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner. Fuck my old boots, the world will end tomorrow.

VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank! If anyone is selling media playback, they'll simply put a wrapper over ffmpeg, like 99% of Windows and OSX video players do already.

Re:Yet another biased Slashdot story (1)

bill_mcgonigle (4333) | about a year ago | (#44239783)

Wow! You mean a dodgy video (or other media file) can cause a player to stop execution and end in a controlled manner.

Is VLC actually exiting? It should put up a "this media file is corrupt" message with perhaps a backtrace under a disclosure pane. But that's a usability issue, not a security one.

VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!

Adjust the squelch on your sarcasm meter. He means that big expensive projects tend to pay exorbitant licensing fees to software companies and don't bother with free software.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44247991)

In my experience, dodgy video files make VLC crash quite easily, often even when they work fine on the second try. But that seems like a minor usability issue since restarting VLC is very little effort.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44240817)

VLC over-priced? What planet are you on, it's a free in both senses of the word, you plank!

You do know what "I don't think" means, right?

Re:Yet another biased Slashdot story (1)

sjames (1099) | about a year ago | (#44239737)

Usually exploit and DOS are two separate categories. DOS is limited in it's impact (though it can be a serious problems in some cases) compared to exploit, the ability to use the program to gain privileges and/or run malicious code.

Re:Yet another biased Slashdot story (1)

SuricouRaven (1897204) | about a year ago | (#44239809)

If an attacker can inject their own video stream, they can do far worse things than DoS.

Re:Yet another biased Slashdot story (5, Funny)

g0bshiTe (596213) | about a year ago | (#44240039)

It's just important that if two attackers are at it that they don't cross the streams.

std: terminate. (2)

leuk_he (194174) | about a year ago | (#44243815)

Then who you are going to call?

Re:Yet another biased Slashdot story (1)

Sarten-X (1102295) | about a year ago | (#44240195)

The existence of other vulnerabilities is no reason to excuse this one. If that hypothetical ad display runs VLC, but its content is screened using Media Player, a crafted file may work fine and have approved content when checked, but crashes the display in production. This is a good argument for having identical testing and production systems, but that's not always how reality works out.

Re:Yet another biased Slashdot story (0)

Anonymous Coward | about a year ago | (#44240183)

I don't think VLC is overpriced enough to serve in any critical roles (like, perhaps, a giant Times Square display)

You'd be surprised. I did some coding not long for a company that makes digital signage system (i.e. stuff like the machines that drive those displays) and they're using a mixture of free software on Windows XP bundled together with a .net front end. VLC had been installed on the system, but had been disabled in favour of a DirectShow-based player for formats where a proper codec could be found.

(My job was to rewrite under Linux, using gstreamer)

I call my doctor... (4, Funny)

wbr1 (2538558) | about a year ago | (#44239417)

when I need to call std::terminate.

Re:I call my doctor... (0)

Anonymous Coward | about a year ago | (#44242675)

I can feel the burning disappearing already!

#include
#include

using namespace std;
using namespace everythingelse;

int main()
{
        cout "PRAISE THE LAWD" endl;
        bigBang();
        return 1; // God does not entertain the notion of zero
} ....aaaaand the burning is back. But this time it feels like it's in my eyes.

Put up or shut up (2, Interesting)

Anonymous Coward | about a year ago | (#44239435)

"Kaveh Ghaemmaghami has discovered a vulnerability in VLC Media Player, which can be exploited by malicious people to potentially compromise a user's system."
"The vulnerability is caused due to a use-after-free error when releasing a picture object during decoding of video files. This can be exploited to reference an object's callback function pointer from already freed memory. Successful exploitation may allow execution of arbitrary code."

Well if it can be exploited to execute arbitrary code, why not exploit it to execute arbitrary code? Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).

Put up or shut up and the argument becomes more regular and concrete like most exploits.
i.e. proof of concept, the thing that seems to be missing from Secunia's claim.

Re:Put up or shut up (4, Informative)

Lunix Nutcase (1092239) | about a year ago | (#44239945)

How is that phrase gibberish? It's quite clear what it means if you've ever used C++ and function pointers to implement callbacks for an object.

Re: Put up or shut up (0)

Anonymous Coward | about a year ago | (#44241159)

Because secunia makes money selling exploits. Not giving them away for free.

Re:Put up or shut up (0)

Anonymous Coward | about a year ago | (#44246753)

Or shut up and stop talking garbage ("to reference an object's callback function pointer" What?? Is that supposed to sound technical while being gibberish?).

It's definitely not gibberish if you've programmed at least once in your life.

A slow decline (0, Insightful)

Anonymous Coward | about a year ago | (#44239471)

The so-called 'security' firms have just been building a business model around some accidents of history - buffer overflow, sql injections, etc...

  When all of these go away, slowly but surely, computer intrusion as we know it will cease to exist and 'hacking into computers' will be a thing of the past.

Re:A slow decline (0)

Anonymous Coward | about a year ago | (#44241169)

They'll find something new to call "h4>0RZ!!1!one!eleventy!" over. They have always managed before.

Notice how the abuse of the term "hacker" (and how clumsily it was done, with hat colours and "ethical" and lots of other qualifiers that in the main don't mean squat, sort-of the "cyber" of the security industry racket) has contributed to large amounts of FUD and uninformed decisions, even leading to overly broad-because-vague laws against "hacking" that effectively also criminalise creativity with technology, and thus could easily stymie innovation. Unless, of course, you're a big enough company.

But yes, the industry is one built on FUD and short-term patching-up, leading to expensive consultancy that really only prolongs the problem. One of the side effects is that apparently serious gatherers of exploits have gathered so many that they have no trouble at all with the cyber-breaking and cyber-entering of most any system. Shows you how much the security companies really know.

Re:A slow decline (0)

Anonymous Coward | about a year ago | (#44241773)

If you mean the NSA "cyber warrior" article, I just hope that was some sort of narcissist or a faked propaganda leak.

Re:A slow decline (1)

shentino (1139071) | about a year ago | (#44244191)

Ironically, the incentives you flag are the very reason it may continue.

Crisis averted (1, Troll)

GeekWithAKnife (2717871) | about a year ago | (#44239509)


I have read this quite concerned but am now finally relieved that my porn viewing will not be affected in the slightest.

Thank you for reporting on "stuff the matters".

Please wait ... (2, Informative)

Anonymous Coward | about a year ago | (#44239597)

I tried accessing the VLC website, but all I got was an error message:

Please wait while your font cache is rebuilt. This should take less than a few minutes.

Re:Please wait ... (0)

Anonymous Coward | about a year ago | (#44240059)

I'm not a VLC apologist, but does that even happen any more?
VLC is too clunky to use as my main video player but I do fall back to it regularly when other players choke on whatever it is I'm watching.
Can only remember seeing that in windows though so that might be it?

I'm curious because Firefox memory use still gets stick even though (IMHO) it hasn't been an issue for a dozen versions or so, and I think I might be seeing parallels.

I suppose that one time I was intimate with a midget, I didn't realise I would be called "that midget fucker guy" from then on in the office.
If I'd known, I would have been more patient with her contortionist friend. But you know what those carnie-folk are like.
Amirite?

Re:Please wait ... (1)

TheRaven64 (641858) | about a year ago | (#44240307)

I'm not a VLC apologist, but does that even happen any more?

The first time I ever saw this message was when updating VLC to the latest version about 2 months ago, so it definitely does still happen, although I've no idea why (or what it's doing that takes so long).

Re:Please wait ... (0)

Anonymous Coward | about a year ago | (#44240551)

It's making its own copy of your system fonts for subtitles. It's working around its own poor design.

Re:Please wait ... (0)

Anonymous Coward | about a year ago | (#44241649)

Sounds like an embarrassingly parallel work load. Finally, a reason for 8+ threads!

Re:Please wait ... (1)

hobarrera (2008506) | about a year ago | (#44263969)

I've used VLC for almost a decade and i've never seen this message. How do you trigger it? According to online sources, it's run after an update, but I've never seen it, and update every single release. Running vlc 2.0.7 right now.

Mein Kempf (1)

fustakrakich (1673220) | about a year ago | (#44239729)

Threatens 'legal action'? What's up with that?

Re:Mein Kempf (1, Troll)

GlowingCat (2459788) | about a year ago | (#44240019)

Oh the irony, somebody who doesn't give a crap about patents threatens with legal actions.

Re:Mein Kempf (0)

Penguinisto (415985) | about a year ago | (#44240557)

protip: patent infringement != libel/slander ;)

Re:Mein Kempf (3, Interesting)

Ash Vince (602485) | about a year ago | (#44240997)

protip: patent infringement != libel/slander ;)

It is still running to a bunch of lawyers though to settle what should be a technical issue.

He is worried about the damage to his wonderful players reputation be secunia filing a few bug reports? It works both ways, if they have filed bug based on security issues that do not exist that damages their reputation. Surely it makes more sense to have a discussion between two techies regarding the expected behaviour of the application. I don't see what a bunch of lawyers can contribute to that.

Oh, apart from burning them to keep the techies warm :)

Re:Mein Kempf (1)

Capt.Albatross (1301561) | about a year ago | (#44242219)

I don't see what a bunch of lawyers can contribute to that.

Bringing legal action got the issue on Slashdot, so it turned out to be an effective way to raise awareness that Secunia's position is bogus.

The end (-1, Troll)

Anonymous Coward | about a year ago | (#44240107)

This attitude towards security is why my clients are removing Linux so quickly their computers are literally exploding. Can you blame them? Who'd you trust? A bunch of amateurs working out of their bedrooms? A CORPORATION with shareholders and a fountain in their lobby? No contest!

No, Linus. This is the end. By the end of the week all of my clients will have switched to reliable Windows 8, with Norton and no further need for security. Good job buddy! That's 3 fewer installs of Linux. Fix VLC and then we'll talk. While the rest of you sit late in the office patching your systems, I'll be at home browsing some vore, with my free hand giving myself a well earned pat on the back.

Re:The end (0)

Anonymous Coward | about a year ago | (#44240283)

Pretty weak troll. I'll give you 2,5 out of 5, if nothing else for your copy/pasta effort. Otherwise you'd probably get a 1.

Re:The end (1)

mitzampt (2002856) | about a year ago | (#44241097)

He even brought out the cheese for the pasta when he mentioned Windows 8, you need to give him at least 3 out of 5. I almost fed him myself...

Re:The end (0)

Anonymous Coward | about a year ago | (#44241657)

my clients are removing Linux so quickly their computers are literally exploding

Sounds like a good reason not to remove Linux.

I trust Secunia (2, Funny)

Steve_Ussler (2941703) | about a year ago | (#44240367)

They have always been correct.

Use after free is *not* just a DOS vulnerbability (3, Informative)

benjymouse (756774) | about a year ago | (#44240731)

(original submitter here)

If Secunia is correct that the root cause is a use-after-free vulnerability, it exploitability is likely not limited to simple DOS. Secunia talk about a callback handler. A use after free vulnerability can easily lead to execution of arbitrary code, depending on how much control the artacker can assert over the memory.

Also, it is interesting if the sentiment is that it is not a vulnerability if it sits in a linked library. Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

Re:Use after free is *not* just a DOS vulnerbabili (2, Informative)

Anonymous Coward | about a year ago | (#44241661)

Should it really be considered a vulnerability of the library and not of the product using the library? For all intents and purposes, it is a vulnerability of the product.

Why? We don't report vulnerabilities in the GNU C library (glibc) as being vulnerabilities of every program that has links to it. Even Secunia reports vulnerabilities in glibc as vulnerabilities of the library, not the individual programs using it. [cite: https://secunia.com/advisories/search/ [secunia.com] ]

You can argue that it ought to be the other way, but at the very least Secunia should be consistent with their own practice. Flagging VLC because of a vulnerability in ffmpeg is not consistent with Secunia's own past practice.

consider shared libraries (3, Informative)

Chirs (87576) | about a year ago | (#44241963)

If I update the library it resolves the problem for all users of the library. Therefore, the problem is in the shared library, not in the users of that library.

It may be possible to trigger the bug in users of the library, but the actual error (and the thing that must be fixed) is in the library, not the program using it.

Thoughts on "Shared Libs" usage... apk (-1)

Anonymous Coward | about a year ago | (#44242671)

Per my original post -> http://it.slashdot.org/comments.pl?sid=3958509&cid=44241949 [slashdot.org] since I have been in VERY similar circumstances - I first point you to that!

(& what's there in that link for me? NOT a "1st" either - had it happen YEARS BEFORE in 2004, & CA never even notified me of it - I had to stumble upon it myself, and in the end? They 'downgraded' the "threat" in THAT app to ZERO... I passed all 21 of their removal questions too - should have been TOTALLY removed, but wasn't - these companies play a LOT of "dirty pool" just to show "we catch more" when in fact? They do not and offer FALSE POSITIVES as truth!).

Anyhow/anways (back on track on 3rd party lib use):

1 gent, Mr. Steven Burn (malwarebytes' hpHosts) - who helped me out TONS, in that situation in that link I posted above, asked me once:

"Why don't you just use SQLite?"

(Since a SELECT DISTINCT query does deduplication & sort easily enough)

My answer? "I like to be able to say 'I built this, myself, by hand, & it give me superior control over bugs..."

( & also since if ANY 'holes' show up in SQLite, guess who else "bites it" then?? Me.)

Besides: Dedups & Sorts are fairly simple to do (lol, except "HeapSort" imo), & even native tools like StringLists have this built into their Object methods AND can take added "custom sorts" as well if needed (so why bother use external libs?) - sometimes, they are - some are faster (DataStructures class anyone?) on sorted vs. unsorted sets, large vs. small sets, etc./et al!

* NO THANK YOU - AVOID 3rd party libs, IF/WHEN POSSIBLE: &, mainly because of what you're seeing here (and other things noted).

(I like to write single 'stand-alone' executables when & IF possible, minus calls to ANY libs outside of what the OS itself supplies in its API's, for that very reason alone as well as performance & to have a "single container" with no "extra moving parts" too!)

APK

P.S.=> Imo & experience (been coding since 1982, & professionally since late 1993) - You're truly/honestly FAR BETTER OFF taking the extra time to learn how to do things, yourself, in your OWN CODE! Almost every time, because of the above (& what you yourself note, as well as the article). You also have a LOT MORE CONTROL that way too, as far as fixes if they're required... apk

Statically linked library (1)

benjymouse (756774) | about a year ago | (#44242913)

What if the library is statically linked (as it is on some platforms with VLC as I understand it)? Then it is distributed with the product.

Good point: I deal with that in VCL's... apk (0)

Anonymous Coward | about a year ago | (#44243717)

Borland's Object Model in Delphi (& C++ Builder too) let you do that via "VCL's" (visual component libs) that compile right into your app - it['s much like doing classes work in say, VB or C++ from MS (& it has forms built right in if required etc.). By the way: YES, that is "VCL" not our subject program, "VLC" (stressing that here, right off the bat almost).

It's great when they ship with source - easier to control by far of course. Not as nice if they don't (some don't). Usually I've seen that MOST 3rd party folks, in freeware libs, ship with source though. Thank Goodness. I steer clear of them now, usually, if the time to take building the functionality of the lib isn't too extreme, then I build it/mimic it, myself. Just a matter of trade off time constraints. I am "big" personally, on "self-built code" for reasons of maintenance etc. (what happens if say, you go from 32-> 64-bit & can't port others' 3rd party libs too? You're stuck!) - it was what my 1st post here was about, in fact.

You're, odds are, going to HAVE to distribute any .DLL files too, since you noted distributed with product, though. If the OS doesn't have a native model of the same, with the SAME build/version # on it - you're in for hassles (placing YOURS in your appdir overrides those, & gets you around this, since 1st place in dll calling rules is the application's folder before any place else, like %WinDir%\system32)

APK

P.S.=> In my last reply however, I should have specified that regarding your point - that DLL-based API's were what I meant by "3rd party libs", specifically (vs. statically linked VCL's and yes, it is CLOSE to our subject spelling-wise, so nobody get too confused now, in VLC)... apk

No, and yes and no. (0)

Anonymous Coward | about a year ago | (#44248151)

VLC distributes a single installer with a lot of things in it on, eg. windows, where on a linux system most of the parts would all be separate packages (fetched from source and compiled by your linux distribution and not by videolan), but the individual libraries are dynamically loaded as needed.

Statically linked would mean one rather large binary, and that's not how vlc works on any platform. It's a core engine with lots and lots of plugins, relying heavily on dynamic loading. So the terminology as used does not apply.

Bottom line, VLC does come with third party software libraries packed in its installer on platforms where it provides such a thing (windows, mac), but does not on others, that rely on source distribution.

Even so, the situation remains that if there is a problem in, say, ffmpeg, then pointing at vlc as the culprit is misleading, even dishonest, in badly counter-productive ways:

First, though vlc would be affected, they would kick over the problem to ffmpeg tout de suite. At most they'd patch it themselves, submit the patch to ffmpeg, and awaiting upstream upgrades patch the version of ffmpeg in the build tree -- but that only works for platforms for which they provide monolithic installers. Source distribution would be left out in the cold. Might as well work with ffmpeg directly to get the thing fixed, instead of getting into a shouting match with videolan.

Working with the group most directly responsible for the software that contains the problem is usance and best practice in the open source community. This is a bit different from the commercial stonewalling secunia is apparently used to.

Second, ffmpeg (and much of whatever else vlc uses) is used quite a lot more widely than just vlc, and so if you blame vlc then you're not just frustrating fixing the actual problem, you're leaving all those other users out in the cold, too.

Re:Use after free is *not* just a DOS vulnerbabili (-1, Troll)

CODiNE (27417) | about a year ago | (#44243141)

For all intensive purposes, it is a vulnerability of the product.

FTFY

Re:Use after free is *not* just a DOS vulnerbabili (0)

Anonymous Coward | about a year ago | (#44245163)

I really hope you're trolling, because "for all intensive purposes" is a corruption of the phrase "for all intents and purposes". Using the "intensive" version is usually a sign that you're a dumbass.

(Only usually, though. Unlike many cases of mangled phrases, there are contexts where "intensive purposes" might actually make sense. In this one, however, "for all intents and purposes" is clearly correct.)

Re:Use after free is *not* just a DOS vulnerbabili (1)

CODiNE (27417) | about a year ago | (#44251793)

Rarely understood, often vilified. Satire is the most dangerous form of literature.

It was a silly joke about the corruption of language, how the vernacular becomes the standard and the frequent error of those who jump on others supposed mistake.

Y'all get a nice big WOOOOSH!

Re:Use after free is *not* just a DOS vulnerbabili (1)

TJamieson (218336) | about a year ago | (#44243303)

My understanding is the libmkv terminate was the DoS portion. The SWF use-after-free would indeed be vulnerable, but is also within ffmpeg. While it would be nice - and in their best interests - if VLC fixed it upstream, it should have been reported as an ffmpeg issue imo.

Been there myself (not fun)... apk (-1)

Anonymous Coward | about a year ago | (#44241949)

Last year, right up into THIS year: FINALLY cleared! Myself, Mr. Steven Burn (hpHosts/malwarebytes), & Mr. Henry Hertz Hobbit (securemecca.org/hostsfile.net) went thru "false positives" findings by:

---

1.) McAfee
2.) Norton/Symantec
3.) Comodo
4.) Trend
5.) ArcaVir/ArcaBit

---

In the end?

* I had to prove them wrong, & did: EACH OF THEM REMOVED MY APP from their lists of "malware" per JOTTI online virus test etc./et al!

However: All that held back the release of this app:

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74 [start64.com]

---

By a good 2-3 months in 2012 in fact! Pissed me off, because I KNEW I wrote good, solid, & NO VIRUS code in it! In the end?? Guess who came up RIGHT ("yours truly").

It also created some "mistrust" of me on the part of those gents above (part of the security community - their job IS to be 'paranoid' of apps, rightfully so, considering they & their sites are OFTEN attacked online (DDoS & such)). I had to earn it back & did - they looked into it, and it was EXACTLY what I told them it would be (enumerated next below):

E.G.-> 1st - They didn't understand a 64-bit executable compressor technique I used!

2nd - They called anything distributed in a WinRar SFX a "virus"... WTF!

I.E.-> Some of their STUPID "rules" are just that - stupid!

(My app's small enough & is a "portable app", that all it NEEDS is a WinRar SFX to distribute it (keeps size of distro down too, much tinier than installer programs create)).

APK

P.S.=> Guys, trust me (from someone that's been here before):

These guys @ these AntiVirus companies? Most are pretty good, know how to trace & kernel level debug disassemble for the truth of things - however, their "heuristics" go way overboard @ times in their programs! Unfortunately, they're not always right... case in point, above (and below too)...

... apk

Little Addendum you can verify (-1)

Anonymous Coward | about a year ago | (#44242275)

Ask Mr. Nir Sofer of NIRSOFT (writes tons of good small utilities for tons of purposes) - in fact, he & I had long discussions about this a few times via email. I really felt for him too, as I have BEEN there myself also.

or

Even Dr.Mark Russinovich of SysInternals/Microsoft fame, this question:

---

QUESTION: How many times THEY TOO have been thru what myself (and now VLC apparently) have in "false positives"...

---

This kind of crap? Happens... a LOT!

(Too much).

* HOWEVER/In the end: I wish VLC well though & GOOD LUCK (they'll get thru it, they're good coders, takes 1 to know one, lol)!

(They have a NICE program, really, really nice! Fact is - it's so nice, that I can't decide which I like better: VLC 64 bit or Media Player Classic 64-bit...)

APK

P.S.=> As to the gents I noted in my 1st reply? Hey:

Please, by all means - Feel free to write them also, to verify my statements earlier in my original post reply (Mr. Steven Burn of hpHosts/malwarebytes -> services@it-mate.co.uk ) or (Mr. Henry Hertz Hobbit of securemecca.org -> hhhobbit@securemecca.org ) - they WILL freely verify anything I said as truth, I am sure of it!

... apk

Not surprising (0)

Anonymous Coward | about a year ago | (#44242977)

I've seen tagged "critical security" "buffer overflow bugs" for unchecked bounds strings... only exploitable being root...

SImple (0)

Anonymous Coward | about a year ago | (#44244241)

So, the solution is simple. Fix the bug. Own the problem, take responsibility for it. After the bug is fix if someone wants to claim it isn't, offer $1,000,000 if they can tank you. If they collect, you were wrong. If they can't, they were wrong. It _is_ that simple.

Tradeoff (0)

Anonymous Coward | about a year ago | (#44258999)

Spend manpower on fancy Metroized version, or ironing the real deal?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?