VLC Media Player Suffers From Schrodinger's Vulnerability

News
By Nathaniel Mott
published

(Image credit: Shutterstock)

You don't need a degree in quantum mechanics to know about Schrodinger's cat. The famous thought experiment proposes the idea that a cat put in a sealed box with a flask of poison and a radioactive source could be simultaneously alive and dead. Now we have Schrodinger's vulnerability: the popular VLC media player is said to be simultaneously vulnerable and invulnerable to a critical security flaw. It's quantum!

There is dispute over how severe the vulnerability is. CERT-Bund, a German security agency, said a malicious video could be used to crash VLC or enable remote code execution on a target device. Given the app's popularity--VLC is often mentioned in the countless "what app should I install first?" threads people start on social media when setting up a new PC--that could leave billions of systems at risk.

VLC creators VideoLAN denied that the situation was as dire as CERT-Bund made it seem. In a bug tracking report, members of the VideoLAN team repeatedly said the malicious video used by CERT-Bund doesn't make the latest version of VLC crash. VideoLAN said in a CVE listing that "given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed."

The non-profit organization also criticized the disclosure of this vulnerability through a series of tweets from its Twitter account. VideoLAN claimed it wasn't contacted before the flaw was revealed to the public, then asked if anyone at the CVE Team had tested the vulnerability themselves before listing it. It would be unusual if the non-profit wasn't contacted before this disclosure--vendors usually have 90 days to fix an issue before it's made public.

Meanwhile, the flaw originally received a 9.8 rating on the NIST National Vulnerability Database, which uses the Common Vulnerability Scoring System (CVSS) to make it easier to convey a vulnerability's severity. The highest possible rating is 10; making this initial 9.8 rating a big deal. However, NIST said that the vulnerability "has been modified since it was last analyzed by the NVD" and is "awaiting reanalysis, which may result in further changes to the information provided." Hopefully more information about how this disclosure was handled, how severe the vulnerability actually is and what VLC users have to do in response to these reports will be revealed sooner than later.

That's the second part of Schrodinger's cat: it's only possible to consider it both alive and dead while the box is sealed. Once someone actually bothers to check, they should have a definitive answer. The same ought to be true of this vulnerability. 

Nathaniel Mott
Nathaniel Mott
Freelance News & Features Writer

Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.

4 Comments Comment from the forums
  • Gillerer
    The Schrödinger's cat thought experiment was devised for the purpose of ridiculing/criticizing the quantum theory: The idea that a living creature is both alive and dead at the same time is ludicrous and obviously impossible.

    Used for computer vulnerabilities, the analog would be that it's ridiculous to describe a flaw as both existing and not existing at the same time. Proper way would be to say that "we don't know" whether the flaw exists.
    Reply
  • bit_user
    Gillerer said:
    Used for computer vulnerabilities, the analog would be that it's ridiculous to describe a flaw as both existing and not existing at the same time. Proper way would be to say that "we don't know" whether the flaw exists.
    This article is garbage.

    It wasn't until I reached the end that I realized its author had coined the name "Schrodinger's Vulnerability". As you say, this is an inaccurate analogy and obviously misleading.

    For anyone bothered by such drivel, I encourage you to use the "Contact Us" link and voice your disapproval: https://forums.tomshardware.com/misc/contact
    Or send emails to the editors listed here: https://www.tomshardware.com/reviews/about-us,4260.html
    Include a link to the article in question, and politely voice your concerns (e.g. misleading title, mis-characterization of the actual issue). We can only hope for change if we're willing to speak up. Don't assume anyone of consequence is reading the forums - we have to reach out to them and hope they listen to enough voices.
    Reply
  • b-dayyy
    About a week ago, the LinuxSecurity staff started tracking a security issue related to VLC, the popular open source media player. As the week went on, it wasn’t completely clear what was fact and what was fiction. I decided to find out. I reached out to Jean-Baptiste Kempf, and we had a really interesting conversation on this topic. Check out what I learned: https://linuxsecurity.com/features/features/what-we-can-learn-from-the-recent-vlc-security-vulnerability-fiasco-a-conversation-with-videolan-president-jean-baptiste-kempf
    Reply
  • bit_user
    b-dayyy said:
    About a week ago, the LinuxSecurity staff started tracking a security issue related to VLC, the popular open source media player. As the week went on, it wasn’t completely clear what was fact and what was fiction. I decided to find out. I reached out to Jean-Baptiste Kempf, and we had a really interesting conversation on this topic. Check out what I learned:
    I think you shouldn't really promote your content on this site. But, just from that abstract I'm confident it's better-written and deeper coverage than Mr. Mott's pitiful piece.
    Reply