back to article Dodgy vids can hijack PCs via VLC security flaw, US, Germany warn. Software's makers not app-y with that claim

VLC is said to be once again vulnerable to remote-code execution – meaning a booby-trapped video opened by the software could potentially crash the media player, or joyride it to run malware on the host machine. However, the developers of the open-source application, which has been downloaded literally billions of times and …

  1. Anonymous Coward
    Anonymous Coward

    I prefer MPC-HC

    Less bloat, more useful than VLC

    1. phuzz Silver badge

      Re: I prefer MPC-HC

      Did a quick test. On my system (Win10) VLC uses twice as much memory as MPC (at idle, not playing anything), which does make it sound bloated, but that's 9.9MB vs 4.9MB, which on a modern PC is hardly resource hogging is it? Both used about 80-90MB when playing a video. So, both are pretty light on resources by the standards of the last decade or so (I think I'd have to go back pre-2000 to find a computer that I owned with less than 100MB of RAM).

      My original problem with MPC (from back when it came out) was that I never understood why someone would want to clone Windows Media Player from the pre-XP days. Otherwise they're pretty similar on features, but I think I'll stick to the one I'm familiar with.

      1. Captain Scarlet Silver badge

        Re: I prefer MPC-HC

        MPC was for users like me who preferred the older Windows Media Player to the skinned one (I think it was the WIndows ME era it came out).

        If I wanted a skinned player I would use Sonique (More for Visualisations) or Winamp (More for the look).

        If I wanted just to check clips quickly MPC loaded quickly and meant I could ditch Real Alternative and Quicktime Alternative (I have a feeling they were called something else but can't recall).

        These days I use VLC on my machine as it just works with everything (Including old episodes of the original Pure Pwnage Online Series), however I usually watch my videos on a tablet or tv so actually.

        I have no issue with either, both do the job but VideoLan is easier to keep up to date (As Media Player Classic stopped updating, went to Media Player Classic Home Cinema, etc...)

        *Edit: I am pretty sure the skinned Media Player was in ME as it always crashed if you didn't have more than 128MB of ram, so most users found the "classic" media player still on the drive and ran that instead.

      2. Sandtitz Silver badge

        Re: I prefer MPC-HC

        MPC and the derivate MPC-HC have always been lightweight, no-nonsense players which mimiced the original Windows Media Player (well, v6.4) when MS decided to skin WMP in post 6.4 versions, made it more demanding for hardware of the era and just made it less usable.

        Back in 2006-2007 Windows Vista brought the DX Video Acceleration 2.0 API which enabled dedicated hardware to decode H.264 and VC-1 - very demanding chore without unless you owned the very latest and greatest Intel C2D CPUs and even then there was a chance of dropping frames in FullHD Bluray playback on PC. At the same timeline ATI&NVidia brought their latest GPU generations which happened to have quite reasonable HD decoding features, called UVD and Purevideo.

        MPC-HC was a fork of MPC (or just renamed?) and one of the very first FREE media players to support DXVA2 and thus GPU decoding, around 2007-2008 timeline. VLC took ages to support GPU decoding - v1.1 in 2010 and it was buggy for a long time.

        VLC is fine these days, but I still prefer MPC-HC just because I'm used to the UI.

        1. Captain Scarlet Silver badge

          Re: I prefer MPC-HC

          It was one of a few forks after the original MPC stopped being maintained, according to wikipedia by Gabest which I seem to remember.

          I must admit I have no issue with the UI, but then again I have no issue with 7Zip's UI when I know people will look at it and glaze over.

  2. Trey Pattillo

    revisit hpc-hc my test

    @AC - You might might want to revisit MPC-HC website [and it is windows only]

    v1.7.13 is released and farewell

    July 16, 2017 XhmikosR

    v1.7.13, the latest, and probably the last release of our project…

    Tested on VBox Guest on Win10 running SokydK [debian stable] .....IT CRASHED VLC latest

    On Win10 it did nothing will not play but did not crash.

    1. georgedeath

      Re: revisit hpc-hc my test

      It is still being actively worked on here: - I've been using this version for the last year with no issues.

  3. VikiAi

    VLC crashing? Say it isn't so!

    I have implemented a quick-link to a killall -9 vlc script on my desktop bar to save having to keep a process monitor open to kill it every other video.

    Though to be fair, in my case it appears to be the h264/hvec decoder and/or the MP4 container format generated by Eris-and-her-daughters-knows-what encoder, that is actually spitting the dummy, taking VLC zombie with it. Never had an issue with anything converted to x265 in a Matroska container via Handbrake, which is my default action with anything I can process that way before viewing, given the choice. (When oh when will students follow the submission guidelines provided!)

    1. Claverhouse Silver badge

      Re: VLC crashing? Say it isn't so!

      Um... aren't 264 and HVEC-265 fundamentally different ?

      [ Declaring an interest: I loathe the blurred smoothness of 265 and discard every instance. ]

      offered. 264 is just fine. ]

      1. Anonymous Coward
        Anonymous Coward

        Re: VLC crashing? Say it isn't so!

        Sounds like those instances pushed the compression settings too high... my own tests on H265 have shown it preserves more detail than H264 at the same bitrate.

    2. Weiss_von_Nichts

      Re: VLC crashing? Say it isn't so!

      Sounds a bit like an outdated version of MPAC -or whatever else there is installed for .h264/5. The probably most hassle and GUI-free way to watch HVEC/AVC anyway is to install mplayer and just select "open with mplayer" (or doubleclick the video after setting the right default action). Used to work even with Windows and has the advantage of getting told explicitely what there is that exactly causes potential trouble when run from the command line.

  4. This post has been deleted by its author

  5. timrichardson

    The Ubuntu LTS packaged version, 3.0.4, does crash on the proof of concept video. But the 3.0.7 version does not crash. So I now use the snap version for this, having seen that VLC officially recommends the snap as their distribution channel for Linux users.

    1. Claverhouse Silver badge

      On Mint, earlier this year I discovered a few hundred GB of Snap installation packs left in one of the obscurer Linux directories.

      I removed them and all the applications still ran; but after a short while I removed the Snap installers and the applications which I reinstalled the good old-fashioned way. Hard disk space may be cheap now, but I don't intend to devote a good slice of a 250 GB SSD to files that can't even be bothered to self-destruct after installation.

      As for players, I use SMPlayer virtually exclusively. One needs to adjust preferences, but say, easy to allow multiple instances to watch a lot of videos at the same time.

      1. lglethal Silver badge

        Just curious - why would you need to watch a lot of videos at the same time? Surely watching them sequentially would be a more standard way of doing things...

        Unless your a security guard i guess. Or a voyeur... ;)

        1. Martin an gof Silver badge

          I did have a temporary application a couple of years ago where I was provided with a non-standard format video file intended to be played on three adjacent monitors. With no budget, we borrowed two of the monitors and I built a computer with two video cards (one running two monitors, the other one) from spares, but I couldn't get VLC to go "fullscreen" across all three, nor Mplayer. I tried splitting the video into three normal-shaped parts and running them in three separate instances of VLC with no luck whatsoever. Mplayer came much closer to working, but in the end the best solution, and one I kicked myself over when I realised, was to tell KDE that when I said "fullscreen" I meant all three screens together. VLC still wasn't entirely happy (never did track that down) but Mplayer worked just fine.

          I am also playing with a user-interactive which would show four or maybe six looping "thumbnail" videos and cause the full video to play when a user touches a thumbnail. Believe it or not, even a Raspberry Pi 2 can play three or four videos simultaneously from the SD card when using the incredible omxplayer.


  6. Sitaram Chamarty

    POC video did NOT crash my VLC

    I merely got an error like this:

    [00007f5b20c156e0] avformat demux error: Could not open /home/ff/heap-over-flow.mp4: Unknown error 1094995529

    Further, the same vlc window was responsive (for example I was able to open some *other* video file and ask it to play it, and it did).

    1. Paul Crawford Silver badge

      Re: POC video did NOT crash my VLC

      Same here.

      A related question for everyone: Is there an apparmor profile for VLC that would contain/damage-limit any future bugs of this sort?

  7. mark l 2 Silver badge

    On my Linux mint box VLC did NOT crash or even throw any error when i tried to play the heap-over-flow.mp4, just nothing showed inside the player. And I was able to play other videos after trying to play it so it appears VLC was not effected by the heap over flow bug in my case.

    So its clearly not an open and shut case of it will crash every VLC version on every OS

  8. Steven Raith

    For what it's worth.....

    VLC have come back saying

    "it's not VLC you spoons, it's a 3rd party library, it's been fixed for over a year and hey, you want to follow your own fucking processes for bug disclosure you fucking fucks?"

    1. Steven Raith

      Re: For what it's worth.....

      (to be clear, it looks like Shaun or the editorial team updated the article just as I posted the above comment, which was within the hour of VLC tweeting it - not bad, El Reg, not bad.

      Could be a juicy little story about the lackadaisical attitude of Mitre and Certbund in there as well...)

  9. This post has been deleted by its author

  10. 89724102172714182892114I7551670349743096734346773478647892349863592355648544996312855148587659264921

    This is why I use version 2.0.0 - nobody bothers to target somethig so damned old and rare in use, no matter what vulnerabilities are

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like