Skip to main content

VLC Media Player Suffers From Schrodinger's Vulnerability

(Image credit: Shutterstock)

You don't need a degree in quantum mechanics to know about Schrodinger's cat. The famous thought experiment proposes the idea that a cat put in a sealed box with a flask of poison and a radioactive source could be simultaneously alive and dead. Now we have Schrodinger's vulnerability: the popular VLC media player is said to be simultaneously vulnerable and invulnerable to a critical security flaw. It's quantum!

There is dispute over how severe the vulnerability is. CERT-Bund, a German security agency, said a malicious video could be used to crash VLC or enable remote code execution on a target device. Given the app's popularity--VLC is often mentioned in the countless "what app should I install first?" threads people start on social media when setting up a new PC--that could leave billions of systems at risk.

VLC creators VideoLAN denied that the situation was as dire as CERT-Bund made it seem. In a bug tracking report, members of the VideoLAN team repeatedly said the malicious video used by CERT-Bund doesn't make the latest version of VLC crash. VideoLAN said in a CVE listing that "given the nature of this issue, attackers may also be able to execute arbitrary code, but this has not been confirmed."

The non-profit organization also criticized the disclosure of this vulnerability through a series of tweets from its Twitter account. VideoLAN claimed it wasn't contacted before the flaw was revealed to the public, then asked if anyone at the CVE Team had tested the vulnerability themselves before listing it. It would be unusual if the non-profit wasn't contacted before this disclosure--vendors usually have 90 days to fix an issue before it's made public.

Meanwhile, the flaw originally received a 9.8 rating on the NIST National Vulnerability Database, which uses the Common Vulnerability Scoring System (CVSS) to make it easier to convey a vulnerability's severity. The highest possible rating is 10; making this initial 9.8 rating a big deal. However, NIST said that the vulnerability "has been modified since it was last analyzed by the NVD" and is "awaiting reanalysis, which may result in further changes to the information provided." Hopefully more information about how this disclosure was handled, how severe the vulnerability actually is and what VLC users have to do in response to these reports will be revealed sooner than later.

That's the second part of Schrodinger's cat: it's only possible to consider it both alive and dead while the box is sealed. Once someone actually bothers to check, they should have a definitive answer. The same ought to be true of this vulnerability.