This is Not really any Problem whatsoever as Long as You dont Download Torrents from untrusted sources. Just ignore this post
Comment has been collapsed.
Yeah, these days it's easy to avoid malicious stuff since most sites have trusted sources either marked or in some categories you'll just have popular names, like ETTV/EZTV for TV and TV movie stuff.
Though, regardless, caution should always be taken.
Comment has been collapsed.
Why would anyone want to install a codec pack in 2019? Almost every single popular media player beyond MPC has a full codec integration in them. Furthermore, why add dozens to hundreds of different codecs when you can add only LAV which plays literally everything?
By the way, apparently it is a Matroska demux issue, so you'd have to run a malicious MKV file to trigger it.
Comment has been collapsed.
You don't need a CODEC pack with MPC-HC either. It has natively handled everything I've ever thrown at it.
Comment has been collapsed.
1) Because many old games use video codecs that no modern version of windows natively comes with. The easy solution is to install a codec pack (only 50 or so MB) and now the game runs. I have personal experience of this.
2) Thank you for the information.
Comment has been collapsed.
Old games use either QuickTime or one of the RAD formats. (Or Indeo, but Windows natively supports it since like forever.) If it is QuickTime, many semi-maintained games had the videos converted (most GOG games did), or you should run them in a sandbox/VM as the Windows Quicktime support ended ages ago and Apple said they do not give a fuck about fixing the glaring security holes that were found in the Win edition. The one in K-Lite has the same issue.
As for RAD, LAV supports it for years.
Comment has been collapsed.
some of the indeo codecs were not included (in a usable fashion) in win 7; maybe they have been restored in later versions. Civ 2's videos would not play in-game without this codec pack. IIRC, AoE2 had the same issues, as did one or two other of our CD-based games from my childhood. However, thank you for the info!
Comment has been collapsed.
K-Lite Codec Pack does not install nor use Quicktime, it relies on LAV filters to play most video formats.
You would only need to install Quicktime if you want to author and create MOV files. But these days MP4 and MKV are pretty much the standard containers.
Comment has been collapsed.
But why install it through K-Lite then and add all the crap? LAV is more than enough on its own without the bloatware. :)
Comment has been collapsed.
I wouldn't call it bloatware. K-Lite is a convenient collection of up-to-date components including DirectShow filters (LAV filters, DirectVobSub, madVR), a video player (MPC-HC) as well as related tools (like MediaInfo and Icaros for thumbnails in explorer).
It comes in several variants, where the larger ones including more codecs depending on your needs (like ffdshow, XViD, and x264 if you need encoding videos). You can read more on their website codecguide dot com.
Comment has been collapsed.
can someone explain to me how that flaw would work in practice?
I mean, in my case, I only use a local copy of VLC to play local files - nothing over a network, no permission to go through my firewall. So how would it be a problem?
Comment has been collapsed.
This gizmodo article is beyond stupid!
To be affected, you would have to download and play a specially crafted MKV file created specifically to take advantage of this bug... You won't get "hacked" as the article implies just by having VLC installed :(
Comment has been collapsed.
article conclusion is also huge:
"...you’ve been warned"
LOL
Comment has been collapsed.
thanks for this, Micro.
also:
"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"
and from comments:
"the bug only affects opening MKV files. If you don’t download MKV video files from the Internet (torrents), then you are extremely unlikely to encounter a malicious file"
it seems lil' clickbait, but still.
from this one:
For anyone reading, please refer to the actual ticket where one of the lead developers on VLC claims that as of VLC 3.0.7.1 (and likely earlier)
the bug is not reproducible and does not crash:
https://trac.videolan.org/vlc/ticket/22474#comment:3
Comment has been collapsed.
Thank you for the info!
It was not my intention to be clickbait-y (I hope the updated title thread reflects this); I was trying to be helpful and merely going off the information which I had at the time. From what I had read, nothing was stated as to how this bug was tripped (and thus how one could avoid doing so), only that "there is this major hole which could be used somehow, so avoid having bad eggs use it by uninstalling the program now."
Also, that means that I--maybe--didn't have to uninstall my old version of VLC. 😳
Comment has been collapsed.
I was trying to be helpful
c'mon, say the truth... where do you hide your Monthly referral? :D
you've been helpful, Micro.
"clickbait" was for gizmodo, cause those are "profitable clicks" (and, at same time, "shit" on VLC).
my copy of VLC is here, calmly waiting fo' da patch! :P
Comment has been collapsed.
this is why I don't share scary stuff I read online without researching it more thoroughly.
Comment has been collapsed.
"VideoLAN is also aware of the issue and is currently working on a patch, though right now, that patch appears to only be 60 percent complete"
I don't get why some people say that 60% is "only 60%". A major flaw was found and in such a short span more than 60% was done. I'd say that's pretty quick.
Regardless, these issues will inevitably happen, so it is what it is. The faster the better. But the VLAN guys didn't leave the mistake in maliciously. Free software will never be perfect. This is as perfect as anything can really get.
Thanks for the info btw :D
Comment has been collapsed.
Uninstalled. I don't use it anyways, so I don't see any reason to keep it in my laptop.
Comment has been collapsed.
Do you use any other video player or do you just not watch videos?
Comment has been collapsed.
Yeah, forgot about streaming services. Though I also live in an area where I have fewer shows and movies in those services than the Vatican City has.
The pope has more stuff to watch than me. Damn it.
Comment has been collapsed.
Like ChibiCthulhu said, I watch everything online.
Comment has been collapsed.
Hmm? There is no problem if you are using in an environment where you do not play the "external media" carelessly.
However, in environments where there is a possibility of playing "external media", it may be necessary to temporarily take measures such as uninstalling.
(It is not good if the media player that plays with priority is VLC.)
There is no problem as long as you don't play "poisoned".
And when new versions come out, be sure to update.
Comment has been collapsed.
VideoLAN: "About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did https://twitter.com/videolan/status/1153963312981389312
I saw it and tried to post
Other people have already written. XD
BUMP to catch eyes
Comment has been collapsed.
Pfft, only amateurs use VLC! I just upload all my video files to Youtube and put them on private!
Comment has been collapsed.
Comment has been collapsed.
Like several people said there is no reason to uninstall VLC due to this because the only way to get "hacked" is to download specially crafted file designed to take advantage of this security fault. I would still advise uninstalling VLC since there are better players out there, like PotPlayer.
Comment has been collapsed.
Can you tell real and verifiable advantages of PotPlayer over VLC?
Comment has been collapsed.
PotPlayer has a lot better interface, lot more options and some features that VLC doesn't have, better graphical quality (both live action and anime shows/movies look somewhat washed out in VLC when compared to PP). Some articles claim that PP uses less resources than VLC, but that's something I can't comment on as I haven't tested and compared that myself.
Comment has been collapsed.
Sounds pretty subjective. But thanks for your opinion.
Comment has been collapsed.
Well better interface is something that can be classified as subjective opinion. But having more options and features isn't subjective, albeit I guess not everyone sees that as a good thing since some people prefer to keep things simple and minimalistic. The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.
I would suggest giving PP a try and seeing for yourself. It's free and quick to download so you've got nothing to lose aside from some time.
Comment has been collapsed.
The difference between colors is quite noticeable too and I'd be surprised if people preferred washed-out colors from VLC.
Question is not "what people prefer", question is "which is correct". And that's a tricky question, because you will need some kind of reference. Best way to check will be to take some test image, make a video from this image, and compare playback of VLC and PotPlayer. The one that displays colors closer to reference image is better. This test will be objective, while "people preferred" is absolutely subjective.
Comment has been collapsed.
No worries on my part. I don't use torrent's and I ONLY use my VLC to watch the odd DVD (yes I still have a DVD player in my pc) when I want to.
Comment has been collapsed.
Chuckles Imagine having a DVD player on your pc in 2019. Slowly closes own DVD player
Comment has been collapsed.
Well, I don't have a bluray player nor a console. And since my old dvd player broke I decided to actually get a player in my pc. Why let my collection go to waste when I can watch some here and there?
Comment has been collapsed.
I had one on my old laptop. It bit the dust and I wasn't going to pay to get one built into this one, so I purchased a USB DVD drive which I use fairly regularly.
Comment has been collapsed.
Pshh, DVD player? Real PC users have DVD burners!
Yeah, I can't remember the last time I actually burned a DVD...
Comment has been collapsed.
[Update 8:35 AM] Based on a tweet by VideoLAN, VLC may not be as vulnerable as it initially appeared. VideoLAN says the “security issue” in VLC was caused by a third-party library called Libebml that was fixed 16 months ago, and that Mitre’s claim was based on a previous (and outdated) version of VLC.
We have reached out to both companies for more info on what happened regarding the initial CVE, and will update the story if we hear back.
VideoLAN
@videolanAbout the "security issue" on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
Comment has been collapsed.
Comment has been collapsed.
Shouldn't you update the title considering that it isn't an alarming issue, as it still suggests?
Comment has been collapsed.
MKV
No worries, I don't play Mortal Kombat: Deadly Alliance ;)
Comment has been collapsed.
LOL. I had not considered that; thanks for the laugh! 🤣
Comment has been collapsed.
This Twitter thread speaks volume for the consequences of trusting clickbait social media "news" networks, the effects of sharing the first source you see without verifying its accuracy, and the spread of misinformation through lack of research. This has been a problem for a long time, even worse in the social media age, but it gets worse when it happens with more vital info such as the one related to security, safety, and even integrity.
Hopefully VideoLAN recovers from the repercussions of this shit show.
Comment has been collapsed.
Yes. I wholeheartedly agree with what you said, wish to again apologize for falling prey to it, and for perhaps alarming some of you. My intentions were honorable and above-board, but the results were a bit lacking.
Comment has been collapsed.
Hey no worries - I blame the official/high profile social media/news/blog platforms for this kind of thing happening. You'd think you could trust some of those big accounts and websites, then they pull that stuff and we're proved wrong.
Comment has been collapsed.
Just migrated from MPC to VLC, and then this article from Gizmodo appeared on my google discovery timeline. Reading through the article, and took a peek on comment discussion, oh well. Blocked gizmodo right away from my timeline.
Comment has been collapsed.
I use MPC because of the keyboard shortcuts "Alt + <--" and "Ctrl + <--" allowing me to back up 5 or 20 seconds (depending on which combo I use; I forget exactly which one does which) in the video. VLC looks slightly sharper at times, and has the ability to boost the volume to 150% of the original, but when you push "pause", it tales several frames to pause, while MPC pauses immediately.
Both are nice, but I find myself preferring MPC over VLC. :D
Comment has been collapsed.
I do agree about shortcut on VLC. It's not as snappy as it is on MPC. Especially on quitting the program shortcut (CTRL + Q or ALT+Q on MPC(?) I forgot) I can feel the slight delay. About jumping I could easily use Left/Right arrow without CTRL/ALT combo in VLC.
Anyway, I feel VLC is more lightweight than MPC. Also, there's no MPC on macOS (Yes, I use both mac and windows). Just want it to be unified. So... yeah
Comment has been collapsed.
New article header:
"You Might Want to Uninstall VLC. Immediately. [Updated: Maybe Not]"
lol.
Comment has been collapsed.
Read gizmodo. Knew it was going to be a clickbait article
But damn. It was an old problem fixed 16 months ago. And Gizmodo didn't even bother contacting videoLAN even once before creating that article? That's low, even for them. What about the 90 days warning to the company to fix vulnerabilities?
I hope VLC doesn't suffer too much.
Comment has been collapsed.
Is there any reason to use VLC over other players like MPC-BE? It has a horrible UI and can't even do basic things like play/pause video when you click on the viewing window which annoys me greatly.
Comment has been collapsed.
First of all, read this https://gizmodo.com/you-might-want-to-uninstall-vlc-immediately-1836641101
If you wish, you can read an article which is based on the first one, but is different and newer: https://www.pcgamer.com/vlc-media-player-has-a-critical-security-flaw/
I strongly recommend the K-Lite Codec Pack (Mega Edition, because why not) and the associated Media Player Classic - Home Cinema
https://www.codecguide.com/download_k-lite_codec_pack_mega.htm
TL,DR: VLC has a MAJOR, as-of-yet unpatched security flaw allowing RCE (hackers) onto your PC, Unix or Linux computer. HOWEVER, you have to do a lot of stuff in order to make this exploit be anywhere close to an issue for you. Use caution in downloading stuff.
The security flaw allows for remote code execution (RCE), which gives hackers total access to your computer to install, run, and modify anything on it without your knowledge. Additionally, hackers can exploit the issue to cause denial-of-service attacks, which is a common function of certain malware. CERT-Bund has given this a base vulnerability score of 9.8 out of 10.PS:Comments have stated this to not be as much of an issue as the two articles say, if caution is used and malicious .mkv files are avoided. Sorry for the overstatement at first; I was reporting based off of what I knew at the time.
PPS: It seems that the gizmodo article was nothing more than clickbait, or relied on someone with an older version of VLC downloading (and playing in VLC) a malicious .mkv file
(what even are these? has anyone used these in the last 5 years? I kid, I kid. 😎). I apologize for blowing this out of proportion, and yet I, in all good faith, reported here on what I knew at the time.Thank you to those users who have supplied further information to me about this issue. I truly appreciate all of you. I'll do my best to not get scared into posting a "PSA: bug report" in the future.
https://twitter.com/videolan/status/1153963312981389312 (and associated thread):
About the "security issue" on #VLC : VLC is not vulnerable. tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.TL;DR #2: Gizmodo reported on what is a non-issue for most users and scared a lot of people thereby.
Update VLC to the latest version (it probably would be a not-bad idea to upgrade your non-VLC players to the latest versions of those); continue to apply VLC (etc) updates as they release; if you use Ubuntu (read this thread, please), to be fully on the safe side, update the libebml library and see if you need to manually remove the old version (if such a thing is possible, I don't know as I don't use linux); remember to always scan your downloads before opening them; and you should be good.
Comment has been collapsed.