The company behind a popular media player software has called out vulnerability management firm Secunia for continuing to list a vulnerability as “unpatched” and threatened legal action.
VideoLAN, the maker of the popular VLC media player, threatened to sue Secunia for defamation because the security company had not updated one of its advisories regarding a “highly critical” vulnerability even though a patch was available, Secunia Research wrote on the company blog on Tuesday. Secunia Research said according to its analysis, the root cause of the flaw has not been addressed in the latest stable version, VLC 2.0.7.
Within hours, VideoLAN president Jean-Baptiste Kempf had fired back with a blog post of his own, entitled, “More lies from Secunia,” and accused the company of defamation. He claimed the security hole was closed very quickly, but that Secunia refused to update the advisory.
VLC is described as a free and open source cross-platform multimedia player and framework that plays most multimedia files as well as DVD, Audio CD, VCD, and various streaming protocols.
Secunia said the vulnerability was the result of a user-after-free error caused when releasing a picture object during decoding of video files, according to SA51464. The issue was first discovered in VLC 2.0.4, and successful exploitation of this flaw would result in arbitrary code execution, according to Secunia. Kempf said the issue was in the third-party libavformat/libavcodec libraries and not in VLC’s main code.
Kempf said in his post there was a VLC patch seven days after the proof-of-concept appeared on the Full Disclosure list, yet Secunia posted an advisory a day after calling the issue unpatched. Secunia’s blog post alleges that the fix in VLC 2.0.5 was incorrect and did not address the root cause, which is why it issued the advisory.
This is where things get a little confusing. Kempf repeatedly insisted in his post that the fix was valid, since the proof-of-concept provided by Secunia no longer crashed the player. “We saw the crash they gave us and we fixed it,” Kempf wrote.
Secunia Research claimed the VLC team “failed to understand the root cause” of the vulnerability, which was why the patch was invalid. When another researcher independently reported a vulnerability in VLC 2.0.5, Secunia determined it was the same use-after-free flaw in SA51464, but using a different attack vector. At this point, a new proof-of-concept was provided, but the team responded saying the issue had been fixed, according to the Secunia post.
Kempf did not address this second proof-of-concept in his post.
Both blog posts discussed an unrelated vulnerability—SA52956—when parsing MKV (Matroska) files, which was discovered in version 2.0.6. There is another disagreement here, with Kempf saying the team informed Secunia of the fix “on several occasions,” and Secunia Research saying the vendor claimed at one point to not know what vulnerability was being discussed. Despite repeatedly checking the builds, Secunia Research said it continued to see the issue.
This was not the first instance where the two companies were not able to communicate with each other. Secunia Research claimed it notified the VLC team the patch was incorrect during an email exchange in February (a copy of the email is linked from the post), but received no response. Kempf claimed Secunia never contacted the team for three months after releasing the advisory.
In any of the communications between the two companies, Secunia did not provide a more complete explanation of what the problem was or discussed the technical points, Kempf said.
“Who is failing at doing ‘coordination between vendors and researchers’?” Kempf wrote.
Kempf also claimed the MKV vulnerability in SA52956 was not exploitable, but Secunia Research said its proof of concept “could reliably control the contents of the corrupted memory.” Vulnerability research company VUPEN has weighed in on the MKV dispute, claiming the issue was still exploitable in version 2.0.7.
VideoLAN posted on its Twitter feed last month that Secunia was threatening them via email. Kempf was also incensed that Secunia had posted on Twitter warning users that VLC had unpatched security issues.
Secunia’s post said, “At no point did we digress from our disclosure policy, or threaten the vendor in any way, and were merely looking out for the safety of the users of VLC.”
The entire dispute gets even more surreal when VLC developer TypX responded to Secunia on Reddit. In his post, he confirmed that the MKV vulnerability was fixed in the developer version of VLC 2.1.0 but that the changes had not yet been applied to the 2.0.x series.
“If the backport hasn’t been done to 2.0 it’s my responsibility, since it was late, I procrastinated it and then it slipped out of my mind due to real life contingencies. For that I apologize to our users and the rest of the team that has to deal with this drama,” Typx wrote.
Secunia Research wrote that its primary responsibility was to “provide accurate information about vulnerabilities” via neutral advisories, but that the task is complicated by “vendors who are overprotective about their code and in denial about the vulnerabilities found in their software.”
Because both companies appear to agree the MKV issue is fixed in VLC 2.1.0, users should upgrade. But it’s not clear what happens next for the two companies. Secunia has said it will no longer cooperate with VLC and will immediately publish vulnerability disclosures instead of giving the company time to address the issues.
“The way Secunia deals with this [vulnerability disclosures] was outrageous and I think I have all the rights to be pissed and claim that they do not work ‘with vendors,’” Kempf said in response.
Related Reading: Secunia Broadcasts Zero-day Vulnerability via Email
Related Podcast: The Story Behind Microsoft’s Bug Bounty Program