14 DAY TRIAL // Secunia has decided to stop all collaboration with VLC and publish all VLC vulnerabilities as soon as they’re found. The decision comes after the two sides got into an argument over the details of a vulnerability.
According to Secunia, security researcher Kaveh Ghaemmaghami has identified a vulnerability in VLC 2.0.4 and has published its details on the Full Disclosure mailing list. He believed the vulnerability was a buffer overflow issue when parsing SWF files.
After analyzing the flaw, Secunia researchers determined that it was actually a use-after-free, not a buffer overflow.
VLC claimed to have addressed the issue with the release of version 2.0.5. However, since they didn’t understand the root cause of the problem, Secunia found that the patch didn’t completely fix the issue.
Secunia told VLC that the bug was not fixed, but the video player developer insisted that it was, and even threatened Secunia with legal action if the company refused to change its advisory to say that the issue was patched.
Secunia changed the patch status until it could come up with a better proof of exploitability. Once researchers became certain that the vulnerability was still exploitable, the status was changed back to “unpatched.”
In the meantime, an MKV parsing integer overflow vulnerability was reported to Secunia. After being notified of its existence, VLC confirmed receiving the report and stated that it would need time to address the issue.
However, VLC has failed to do so, and Secunia says the company has been ignoring its notifications.
In the meantime, VLC representatives have published several tweets claiming that “Secunia is totally dishonest and wrong.”
Secunia now warns users that the stable version of VLC 2.0.7 is still affected by both vulnerabilities.
“Until we receive a reach out from VLC and see a noticeable change in attitude and behaviour, we will drop all kind of cooperation with VLC, and publish all future vulnerabilities found immediately,” Secunia stated.
Update. VLC's Jean-Baptiste Kempf has published his own blog in response to Secunia's accusations. Here's his side of the story.