VLC player vulnerability: memory corruption

There's an article out on ZDNet about a new vulnerability found in VLC player:

[quote=", post:, topic:"]

The first security vulnerability, discovered on 24 November last year, is a flaw which is triggered as user-supplied input is not properly sanitized when handling a specially crafted FLV file. The second vulnerability, much the same, is triggered as user-supplied input is not properly sanitized when handling a specially crafted M2V file -- both of which may be malicious and lead to a "context-dependent attacker corrupting memory and potentially executing arbitrary code."

Considered severe, the flaws are present on version 2.1.5 of VLC media player, and were tested through Windows XP SP3. While this legacy operating system is no longer supported by Microsoft, many users worldwide have not yet updated and may be vulnerable.

The vulnerabilities were reported to the VideoLAN project on 26 December 2014, but no patch has been issued to fix the problem.


Personally, I stopped using VLC some years ago after a couple of updates left it with poor performance and as my media watching habits changed. But this is the second time I've heard of VLC in a negative context--apparently, it's also know for blowing out speakers, which is why having it installed along with Win7 can void a Dell speaker warranty.

Thoughts from the community?

Have been using VLC as my default media player on my laptop and desktops for years now. Except for an occasional crash, I've never had any issue with it whatsoever.

Sent from my GT-I9100G using Tapatalk 2

There's literally hundreds of free media players available. You can switch to any one of them if you feel 'unsecure' with VLC.

Personally, I've also been using VLC for a long time now, haven't had any issues with it. It's open-source, lightweight, customizable and supports just about any media file you'd want to play on it. I'm cool with it having any possible vulnerabilities because...

Here's a quote: "Agar kismat kharab ho to oont pe bethe hue boney admi ko bhi kutta kaat jata hai". Translation: "If unlucky, even a midget sitting on a camel gets bitten by a dog". :P

I already mentioned earlier that I personally transitioned away from VLC a few years ago when performance issues made it simply not worth the hassle. But even that is also not "proof" that VLC is a bad option. I think we can all agree anecdotes are not evidence? On the other hand, it's hardly a matter of "feeling" insecure when vulnerabilities have been discovered by security analysts and aspects of the software are detrimental enough to void hardware warranties. VLC is not the only open-source, lightweight and customizable media player out there but it is certainly the most prominent and massively popular one. It would be interesting to see how the developers react to this and how the open source community of users is affected. Open source ideology should be about maintenance as well as freedom and innovation. Possibly we might even see greater diversification with open source multimedia playback options?

at main topic..

i was never a fan of VLC since its inception, JetAudio FTW.. but then jetaudio went nuts after version 8, and media player classic was brn which required a lot of customisation just to have the shortcut keys which jetaudio worked with default.. but after getting used to MPC, there was no going back to vanilla players..

i only tried VLC when my main KMplayer started having problems and i needed sometimes to watch 2 videos at once, so the secondary media player i tried was the vlc due to its popularity..

VLC is toooo simple when used at first, and toooo comlicated when explored, and yet many of the basic functions in KMplayer and Pot player are not in it even then.

the aspect ratio handling is horrible. and all its settings require the player to be restarted every time to be implemented.. and the worst thing is the still occasional crashes, and its supposed to run streaming and incomplete files fine by default,(Video LAN) but run a partially downloaded file and it crashes instantly and shut down.. doesnot even restart.

the VLC video is better in color reproduction than other players, and audio is very clean.. but very low volume, no filter management, no video enhancements like others, and a poor interface incompatible with many keyboard MM keys and shortcuts.

open source projects should be improved to keep the sense of open source, open. KMplayer is a prime example of a master piece software going corporate with ads and a lot of crap now in new versions which are not even mainstream in USA. on the other hand, the people behind the exact software PotPlayer are still free, open source, have exact same interface and features and yet they are improving it leaps and bounds in both 32bit and 64 bit versions every now and then.

I do keep VLC as backup player.

It has tendency to break with updates.

Using Jet Audio as main player since windows 98 days. :)

It has good keyboard controls and makes good use of mouse as well.

Since version 8, Jet Audio went legit aka they dropped support for those illegal formats like .mkv, .avi etc... But a small "ffdshow codec pack" took care of that and it became even more capable than before.

for me, it hase been 3 years with KMplayer and potplayer.. too much customizable..

maybe its time i should go back to jet auudio and give it a try.. it had been m dearest friend for many a years from version 4 to 7 :D