Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VideoLAN, Secunia in War of Words Over “Unpatched” Software Report

The company behind a popular media player software has called out vulnerability management firm Secunia for continuing to list a vulnerability as “unpatched” and threatened legal action.

The company behind a popular media player software has called out vulnerability management firm Secunia for continuing to list a vulnerability as “unpatched” and threatened legal action.

VideoLAN, the maker of the popular VLC media player, threatened to sue Secunia for defamation because the security company had not updated one of its advisories regarding a “highly critical” vulnerability even though a patch was available, Secunia Research wrote on the company blog on Tuesday. Secunia Research said according to its analysis, the root cause of the flaw has not been addressed in the latest stable version, VLC 2.0.7.

Within hours, VideoLAN president Jean-Baptiste Kempf had fired back with a blog post of his own, entitled, “More lies from Secunia,” and accused the company of defamation. He claimed the security hole was closed very quickly, but that Secunia refused to update the advisory.

Secunia and VideoLAN Vulnerability DebateThere is a lot of finger-pointing between the two companies and it’s not really clear exactly where the lines of communication broke down. What is known, and agreed upon, is the fact the flaw, as described in Secunia Advisory SA51464, was originally publicly reported by independent security researcher Kaveh Ghaemmaghami on the Full-Disclosure mailing list. The root cause of the vulnerability was in the underlying FFmpeg library, which VLC statically links to.

VLC is described as a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols.

Secunia said the vulnerability was the result of a user-after-free error caused when releasing a picture object during decoding of video files, according to SA51464. The issue was first discovered in VLC 2.0.4, and successful exploitation of this flaw would result in arbitrary code execution, according to Secunia. Kempf said the issue was in the third-party libavformat/libavcodec libraries and not in VLC’s main code.

Kempf said in his post there was a VLC patch seven days after the proof-of-concept appeared on the Full Disclosure list, yet Secunia posted an advisory a day after calling the issue unpatched. Secunia’s blog post alleges that the fix in VLC 2.0.5 was incorrect and did not address the root cause, which is why it issued the advisory.

This is where things get a little confusing. Kempf repeatedly insisted in his post that the fix was valid, since the proof-of-concept provided by Secunia no longer crashed the player. “We saw the crash they gave us and we fixed it,” Kempf wrote.

Secunia Research claimed the VLC team “failed to understand the root cause” of the vulnerability, which was why the patch was invalid. When another researcher independently reported a vulnerability in VLC 2.0.5, Secunia determined it was the same use-after-free flaw in SA51464, but using a different attack vector. At this point, a new proof-of-concept was provided, but the team responded saying the issue had been fixed, according to the Secunia post.

Advertisement. Scroll to continue reading.

Kempf did not address this second proof-of-concept in his post.

Both blog posts discussed an unrelated vulnerability—SA52956—when parsing MKV (Matroska) files, which was discovered in version 2.0.6. There is another disagreement here, with Kempf saying the team informed Secunia of the fix “on several occasions,” and Secunia Research saying the vendor claimed at one point to not know what vulnerability was being discussed. Despite repeatedly checking the builds, Secunia Research said it continued to see the issue.

This was not the first instance where the two companies were not able to communicate with each other. Secunia Research claimed it notified the VLC team the patch was incorrect during an email exchange in February (a copy of the email is linked from the post), but received no response. Kempf claimed Secunia never contacted the team for three months after releasing the advisory.

In any of the communications between the two companies, Secunia did not provide a more complete explanation of what the problem was or discussed the technical points, Kempf said.

“Who is failing at doing ‘coordination between vendors and researchers’?” Kempf wrote.

Kempf also claimed the MKV vulnerability in SA52956 was not exploitable, but Secunia Research said its proof of concept “could reliably control the contents of the corrupted memory.” Vulnerability research company VUPEN has weighed in on the MKV dispute, claiming the issue was still exploitable in version 2.0.7.

VideoLAN posted on its Twitter feed last month that Secunia was threatening them via email. Kempf was also incensed that Secunia had posted on Twitter warning users that VLC had unpatched security issues.

Secunia’s post said, “At no point did we digress from our disclosure policy, or threaten the vendor in any way, and were merely looking out for the safety of the users of VLC.”

The entire dispute gets even more surreal when VLC developer TypX responded to Secunia on Reddit. In his post, he confirmed that the MKV vulnerability was fixed in the developer version of VLC 2.1.0 but that the changes had not yet been applied to the 2.0.x series.

“If the backport hasn’t been done to 2.0 it’s my responsibility, since it was late, I procrastinated it and then it slipped out of my mind due to real life contingencies. For that I apologize to our users and the rest of the team that has to deal with this drama,” Typx wrote.

Secunia Research wrote that its primary responsibility was to “provide accurate information about vulnerabilities” via neutral advisories, but that the task is complicated by “vendors who are overprotective about their code and in denial about the vulnerabilities found in their software.”

Because both companies appear to agree the MKV issue is fixed in VLC 2.1.0, users should upgrade. But it’s not clear what happens next for the two companies. Secunia has said it will no longer cooperate with VLC and will immediately publish vulnerability disclosures instead of giving the company time to address the issues.

“The way Secunia deals with this [vulnerability disclosures] was outrageous and I think I have all the rights to be pissed and claim that they do not work ‘with vendors,’” Kempf said in response.

Related Reading: Secunia Broadcasts Zero-day Vulnerability via Email

Related PodcastThe Story Behind Microsoft’s Bug Bounty Program

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.