VLC: Doubts the existence of a security vacuum

Do you want to uninstall VLC? Many websites say that this is probably the best solution, but according to the developers of the application, the alleged security gap is excessive, and may not be dangerous at all.

The problem started with its publication CVE-2019-13615, characterized as a "critical" vulnerability with a score of 9,8 out of 10 (Heap Based Buffer Overflow Vulnerability).

VLC developers are unhappy that they did not even contact them before this bug was published.

This was probably not good. On the other hand, 9,8 out of 10 sounds like a nuclear disaster. This defect could lead to remote code execution, and they could gain control of your system through an error in VLC.

According to the CVE, this defect requires the reproduction of a defective MKV file. Theoretically, downloading a malicious MKV file from the Internet and running it could jeopardize VLC even though no one has yet reported that this has already happened. Also, the application version for macOS does not appear to be affected.

So, even if this defect is as bad as it sounds, you should be especially careful with MKV files. Do not download unreliable MKV files and do not run them with the popular application until an update is released.

But the update will probably be delayed, as the developers of the VLC application say no can reproduce the problem.

As the VLC developers explain in bug tracker of VideoLAN:

"We are sorry, but this error cannot be reproduced and does not crash VLC at all." - Jean-Baptiste Kempf

"If you read about the error in a news article claiming that there is a critical gap in VLC, I suggest you read the comment above first and review your (fake) news sources." - Francois Cartegnie

"It does not crash the regular version of VLC 3.0.7.1" - Jean-Baptiste Kempf.

We are waiting for the answer of the researchers who discovered the security gap. It will be interesting to see who is wrong.