WARNING! to all VLC player users! Stop using VLC and update it now!! - page 2.

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: Stedsm on June 22, 2019, 11:28:19 AM

Just out of curiosity, we all mostly use pirated Windows by downloading some Windows activators (like KMSpico) and using them to update our key and make this thing work without any issues. But, the question here is, are these activators safe? Can't they have the full data of my PC if they try to hack it through any Trojan or other virus/es when they're able to bypass Windows security to check whether our installed Windows is genuine or not?

Almost all cracked versions of valuable Software (windows, photoshop, etc..) are infected with malware.
If you are using cracked software, you should definitely regard your computer as compromised.

Just because noone stole cryptos from you yet, it doesn't mean that they can't. Chances are high that they have access to your computer and/or it is used for spam mails / any other kind of botnet.

Cracking a software so it is able to run without activation keys etc. is not an easy task. It takes quite some time and they want to be paid for that work.

If you REALLY insist on using cracked software, use linux as main OS and run all of this cracked stuff in a virtual machine if you really can't just use the open source alternatives.

Stedsm

legendary

Activity: 3052

Merit: 1273

Quote from: ?? on ??

Quote from: Stedsm on June 22, 2019, 09:32:54 AM

What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?

You're safe, but they still could make a copy of your wallet files & browser files (history, cookies, download list, etc.) which could be used to brute-force or social-engineering attack.

And even if these guys are able to copy my wallet files and/or browser files like you said, can't I save my coins by sending all of them out of that wallet into a secure wallet I maybe use in my smartphone or another offline PC?

What if?
The wallet I use is infected itself (just like the case in Electrum)?

Just out of curiosity, we all mostly use pirated Windows by downloading some Windows activators (like KMSpico) and using them to update our key and make this thing work without any issues. But, the question here is, are these activators safe? Can't they have the full data of my PC if they try to hack it through any Trojan or other virus/es when they're able to bypass Windows security to check whether our installed Windows is genuine or not?

bob123

legendary

Activity: 1624

Merit: 2481

Quote from: dothebeats on June 21, 2019, 04:26:40 PM

Just a question though, would the attack be similar to that exploit found on Mozilla browsers a while ago? Not really much into cybersec but would the vulnerability be dormant, or just lay down there until I play a certain type of video associated to the exploit? Kinda curious and want to know more, it wasn't stated anywhere in the article.

The attack itself? No.
The vulnerability itself? No.
The consequences? Yes.

The attack itself with the firefox exploit was that you have to visit a prepared page. That's all you need to do to trigger the exploit.
With the VLC player, you need to download and start a specifically crafted file.

Firefox hat a type conversion vulnerability. This means when handling different types of data (when converting them) one could get firefox to crash.
In VLC you can trigger a heap overflow (writing beyond the space you are allowed to write data to) and/or a double-free (which means you can free up the same space of memory twice, allowing to insert your own data (e.g. code to execute)).

Note, that whenever you can get a program to crash because of an overflow (stack- or heap-) or a double-free, the chances are high that you can also insert own code to be executed.
Which also is the case for firefox and VLC.

bittraffic

hero member

Activity: 3038

Merit: 617

Quote from: Stedsm on June 22, 2019, 09:32:54 AM

Which versions should I actually use as of now (that are not infected)?

I'm a fan of VLC media player just because of their (formerly 200% but now) 150% extra volume feature in it as well as multi-audio function but after watching this, I believe we are now in an era when almost every single thing that comes from internet (may it be a movie or a .exe executable file itself or almost anything) has the potential to steal our coins and the only way that looks trustworthy is to keep them either in an offline PC or a paper or maybe hardware (like ledger nano s). Even though, I still doubt that hackers have gone so insane before BTC as the only reason that makes them crazy about it is that, BITCOIN IS COMPLETELY DIGITAL and it can be hacked almost easily if they're able to get into a PC of someone.

What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?

Yep rolling your mouse scroll will give us the more volume. I'm VLC fan as I am a Linux user. I'm not sure if I have to worried about it but I may have to manually update it later on.

Google authentication is an extra added security which is also I'm using to protect my exchange accounts.

Stedsm

legendary

Activity: 3052

Merit: 1273

Which versions should I actually use as of now (that are not infected)?

I'm a fan of VLC media player just because of their (formerly 200% but now) 150% extra volume feature in it as well as multi-audio function but after watching this, I believe we are now in an era when almost every single thing that comes from internet (may it be a movie or a .exe executable file itself or almost anything) has the potential to steal our coins and the only way that looks trustworthy is to keep them either in an offline PC or a paper or maybe hardware (like ledger nano s). Even though, I still doubt that hackers have gone so insane before BTC as the only reason that makes them crazy about it is that, BITCOIN IS COMPLETELY DIGITAL and it can be hacked almost easily if they're able to get into a PC of someone.

What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?

rhomelmabini

hero member

Activity: 2030

Merit: 578

No God or Kings, only BITCOIN.

Thanks for the update OP. Actually I use it always for watching animes whenever I have new ones been downloaded. There are types it pop up for a download but sometimes I ignore it because of low connectivity I have or sometimes whenever it pops up it was just for a moment so I never mind it at all. I'll update mine later.

Quote from: joniboini on June 21, 2019, 11:47:01 PM

There is some trick to do it I believe. Suppose a user is looking for an anime episode. Hacker can make a similar file, hosted it on their server or upload it to file-sharing services and then make google ads. Some user who doesn't have favourites website to download anime videos could download that file, even random stranger who googles the episode of that anime could get exposed too.

He can also share that link to various forums, and it won't look suspicious as he's sharing a download link just like any others uploaders.

So far I have my favourite site to download those and far it is an underrated anime website for download but I will stay very cautious at all times.

Jwick83

jr. member

Activity: 153

Merit: 4

I checked my android mobile and also on my ubuntu app store. It's updated to the latest, so no worries here. Thank you for the heads up.

Distinctin

hero member

Activity: 2926

Merit: 657

No dream is too big and no dreamer is too small

Thanks for spreading this news mate, just got it played yesterday and I think just to be safe, I'll shift with another media player.
I'll be sharing this news as well through my social media accounts.

bitmover

legendary

Activity: 2352

Merit: 6089

bitcoindata.science

Thanks for the warning

I have read in many places around that media player classic is a way better player in terms of quality. However, vlc is more compatible with different video files (and I love the 125% audio volume function, which is missing on mpc)

More discussions here

Quote

Conclusion

I'm going to call this a victory for MPC-HC. Major kudos to the MPC-HC developer team for finally making it stable (with a nod to LAV package by Nevcairiel) while maintaining its keep-it-simple-stupid philosophy.

I would recommend keeping VLC around and up to date for those times that you want to stream outside of a browser, or loop segments, or play material at different speeds.
https://www.techhive.com/article/2892383/which-is-the-better-free-video-player-mpc-hc-176-vs-vlc-22.html

Kakmakr

legendary

Activity: 3542

Merit: 1965

Leading Crypto Sports Betting & Casino Platform

Thanks OP, I am running VLC player on a few computers at a small training lab at work and we have been experiencing a lot of problems lately, so I am glad you pointed this out, now we can plug another hole and possibly get rid of some of those problems. Wink

We are running updated commercial Antivirus software on those computers and it did not flag VLC player as a possible threat or that it needed to be upgraded to the latest version. Damn, attacks are coming from the least expected angles these days! Angry

joniboini

legendary

Activity: 2170

Merit: 1789

Quote from: harizen on June 21, 2019, 06:32:58 PM

I just wonder how can they trick the user here. Hopefully, those internet guys out there know how to deal on any download site they will encounter.

There is some trick to do it I believe. Suppose a user is looking for an anime episode. Hacker can make a similar file, hosted it on their server or upload it to file-sharing services and then make google ads. Some user who doesn't have favourites website to download anime videos could download that file, even random stranger who googles the episode of that anime could get exposed too.

He can also share that link to various forums, and it won't look suspicious as he's sharing a download link just like any others uploaders.

hatshepsut93

legendary

Activity: 3024

Merit: 2148

This is spooky, today even something as unrelated as a videoplayer can have critical bugs that can pwn your system. I've stopped torrenting videos on my computer years ago and only use a tablet for this purpose which doesn't hold any critical information. I highly recommend people to practice security through isolation, when all important operations, like dealing with cryptocurrency, are done in environment completely separate from any potentially risky behavior, which in these days is literally everything else, including simply browsing.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: harizen on June 21, 2019, 06:32:58 PM

-snip-

If you update it, I don’t see any problem on using it (just like I still use Electrum after the phishing exploit - even thi thats more critical).

You can’t be assured you are safe while using the old version. A lot of malicious hackers will try to exploit this by pushing fake files over torrent trackers and other websites. Anyone can rent a seedbox and get his torrent to the top of most trackers vy getting a lot of “fake” seeders. I remember when the GTA V game was released (only for console) and suddenly there were 30GB+ fake torrents everywhere (even on trusted torrent websites). You can’t trust anyone in a decentralized network/platform.

I wouldn’t be surprised if many “regular joes” get infected for not knowing about this and downloading his favorite movie.

harizen

legendary

Activity: 3122

Merit: 1398

For support ➡️ help.bc.game

According to the article,

"All the attacker needs to do is craft a malicious MKV or AVI video file and trick users into playing it using the vulnerable versions of VLC."

So generally, for that hacking thing to work, it will come from a video file as source. Not by using directly the outdated VLC to the prior downloads (in other words new downloads from random sites).

Am I right here?

I just wonder how can they trick the user here. Hopefully, those internet guys out there know how to deal on any download site they will encounter.

And I can't find the latest news about it. Can someone link it to me?

a) Stick with the popular and reputable download sites (especially torrent sites).
b) Use common sense
c) MORE IMPORTANTLY, UPDATE TO THE LATEST VERSION! (Version 3.0.7.1)

I will not stop using VLC. It's the fastest player, at least based on my user experience for 10 years I guess. I'm using a super outdated version of VLC lol (version 2) so I just need to update it.

To those newbies who are confused, better stop using VLC.

TryNinja

legendary

Activity: 2758

Merit: 6830

Quote from: LTU_btc on June 21, 2019, 06:06:32 PM

I'm not sure that I will get answer, but I will ask. How about Ace Player (it's VLC based player)? On my PC it's made using 2.0.5 version of VLC. So, as I understand it's also unsafe. If yes, it's bad because I don't know alternative players to watch Ace Stream on PC.

It possibly has the same vulnerability. I would stop using it and wait until the maintainer (if there is one) talks about this/fix it.

I just googled a bit and found a guide to make it worth with Kodi (legit player/media service). Maybe you can try: https://techiestechguide.com/acestream-kodi/

LTU_btc

legendary

Activity: 3234

Merit: 1375

Slava Ukraini!

I'm not sure that I will get answer, but I will ask. How about Ace Player (it's VLC based player)? On my PC it's made using 2.0.5 version of VLC. So, as I understand it's also unsafe. If yes, it's bad because I don't know alternative players to watch Ace Stream on PC.

dothebeats

legendary

Activity: 3542

Merit: 1352

Cashback 15%

Quote

With more than 3 billion downloads, VLC is a hugely popular open-source media player software that is currently being used by hundreds of millions of users worldwide on all major platforms, including Windows, macOS, Linux, as well as Android and iOS mobile platforms.

Was about to ask which operating systems are compromised/vulnerable to the said vector until I read this. Good thing I let the automatic updates run on my PC earlier this morning before I go and took a run.

Quote

Though the proof-of-concepts demonstrated by both researchers cause a crash, a potential attacker can exploit these vulnerabilities to achieve arbitrary code execution with the same privileges as of the target user on the system.

Just a question though, would the attack be similar to that exploit found on Mozilla browsers a while ago? Not really much into cybersec but would the vulnerability be dormant, or just lay down there until I play a certain type of video associated to the exploit? Kinda curious and want to know more, it wasn't stated anywhere in the article.

TheBeardedBaby

legendary

Activity: 2240

Merit: 3150

₿uy / $ell ..oeleo ;(

And another vulnerability found, no one is save.

I know many people use it that's why I post it here.
Keep your coins save.

Read below.

Quote

If you use VLC media player on your computer and haven't updated it recently, don't you even dare to play any untrusted, randomly downloaded video file on it.
Doing so could allow hackers to remotely take full control over your computer system.
That's because VLC media player software versions prior to 3.0.7 contain two high-risk security vulnerabilities, besides many other medium- and low-severity security flaws, that could potentially lead to arbitrary code execution attacks.

Source

Spread the news.

Topic: WARNING! to all VLC player users! Stop using VLC and update it now!! - page 2. (Read 741 times)