Author

Topic: WARNING! to all VLC player users! Stop using VLC and update it now!! (Read 744 times)

legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
Even if my PC has a reputed Anti-Virus/Anti-Malware/Anti-Spyware software to ^protect^ my PC, should I still consider it compromised if my OS is pirated?

Yes, your system is still vulnerable against zero-day exploit, especially due to update is disabled by default on some pirate distribution.

And what about a crack (or an activator) that allows you to freely update your software even with a fake key? If my OS remains updated, is it still vulnerable to hacks just because it isn't genuine?

4) I've an Antivirus which is itself cracked to use its Premium features

4) No Idea

Sorry for the incomplete statement there.
What I mean is:
What if I have an Antivirus software which is cracked by a software from some website to use its Premium features like adding extra database of all the known viruses from that Antivirus company, even though my Windows is genuine and not cracked?


Everything that's is cracked is not secure, just because it's very common that the cracking files are injected with Trojan horses. So you are infected right after your fresh installation. Try to avoid all the unlicensed software.
legendary
Activity: 3052
Merit: 1273
Even if my PC has a reputed Anti-Virus/Anti-Malware/Anti-Spyware software to ^protect^ my PC, should I still consider it compromised if my OS is pirated?

Yes, your system is still vulnerable against zero-day exploit, especially due to update is disabled by default on some pirate distribution.

And what about a crack (or an activator) that allows you to freely update your software even with a fake key? If my OS remains updated, is it still vulnerable to hacks just because it isn't genuine?

4) I've an Antivirus which is itself cracked to use its Premium features

4) No Idea

Sorry for the incomplete statement there.
What I mean is:
What if I have an Antivirus software which is cracked by a software from some website to use its Premium features like adding extra database of all the known viruses from that Antivirus company, even though my Windows is genuine and not cracked?
legendary
Activity: 2310
Merit: 4085
Farewell o_e_l_e_o
< ... >
To those newbies who are confused, better stop using VLC.
I read from one member of group I joined that animated images also a highly vulnerable things. It sounds like you have good knowledge about that, so if you have time, can you give me some basics about such vulnerabilities of animated images, please

You made a very helpful recommendations, but you also made me shocked by saying you have still used the version 2.  Shocked
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
Even if my PC has a reputed Anti-Virus/Anti-Malware/Anti-Spyware software to ^protect^ my PC, should I still consider it compromised if my OS is pirated?

Yes, your system is still vulnerable against zero-day exploit, especially due to update is disabled by default on some pirate distribution.

1) I run Pirated Windows in a Linux OS based PC through Virtual Machine software
2) I run Linux OS in a Pirated Windows through Virtual Machine software and keep my coins in Linux
3) I run both by installing both these OS in one PC simultaneously
4) I've an Antivirus which is itself cracked to use its Premium features

1, 2) Should be secure, it's difficult to "get out" from Virtualization & vice-versa
3) Should be secure, use drive encryption on Linux OS if you have serious security concern
4) No Idea
legendary
Activity: 3052
Merit: 1273
--snip--

Almost all cracked versions of valuable Software (windows, photoshop, etc..) are infected with malware.
If you are using cracked software, you should definitely regard your computer as compromised.

Even if my PC has a reputed Anti-Virus/Anti-Malware/Anti-Spyware software to ^protect^ my PC, should I still consider it compromised if my OS is pirated?

Quote
Just because noone stole cryptos from you yet, it doesn't mean that they can't. Chances are high that they have access to your computer and/or it is used for spam mails / any other kind of botnet.

Once again, what about those preventive softwares?

 
Quote
Cracking a software so it is able to run without activation keys etc. is not an easy task. It takes quite some time and they want to be paid for that work.

If you REALLY insist on using cracked software, use linux as main OS and run all of this cracked stuff in a virtual machine if you really can't just use the open source alternatives.

Ok, I've got some extra questions here for more knowledge and I really don't want to make an extra thread for the same:

What IF?

1) I run Pirated Windows in a Linux OS based PC through Virtual Machine software
2) I run Linux OS in a Pirated Windows through Virtual Machine software and keep my coins in Linux
3) I run both by installing both these OS in one PC simultaneously
4) I've an Antivirus which is itself cracked to use its Premium features
legendary
Activity: 2296
Merit: 1014
And another vulnerability found, no one is safe.

I know many people use it that's why I post it here.
Keep your coins save.

Read below.

Its most popular video player in the world. Its huge vulnerability and noone is safe while using it now. Update asap or just dont use it for a while.
Be safe, i didnt hear reports someone lost BTC because of it, but you never know, better to be safe than sorry.
member
Activity: 686
Merit: 45
I dont use it that often but when I do watch videos on my PC VLC is my main player. Thanks iasenko, I had 3.0.5 installed but now I have updated to the newest version.
legendary
Activity: 3164
Merit: 3290
I never trusted VLC player in the past and i havnt installed it , glad i am havnt used it and i was expecting some kind of security problems !
The software Develop. for some Malware and other Trojans getting everyday smarter !
Just remember about the Fake Anns with the download links on the Wallet Link .
hero member
Activity: 1806
Merit: 672
I don't get it so is the video file the one vulnerable or is VLC the one triggering it to do so? If it's the latter then you need to have two of the corrupted files for you to be hackable am I right on this one? Or is the article unclear on their explanation because based on their message suspicious video files if played with VLC will make the hacker have full acces with your computer.
hero member
Activity: 2268
Merit: 669
Bitcoin Casino Est. 2013
I am not using VLC Media player anymore in my computer years ago rather than using the media player that your computer's operating system. As of now I only use windows Media Player or Windows Media Player Classic. VLC player have problems when i'm using it before that is why I am only using those two media players until now.
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
The average computer must have 50-100 third party programs that could pounce on you at any moment.

I long ago stopped doing anything directly crypto related on anything other than a dedicated machine. I am guilty of continuing to do exchange related things but it's 2FA'd up the arse and I don't put significant sums through any exchange either.

This will never, ever, ever end and will only get sneakier and more creative. It does make me wonder about crypto's future viability when the machines we use seem to be throwing an ever increasing number of weaknesses.

Add to this the fact that many people like to pirate software and media (no judgement here), and you got a recipe for a disaster.

Right now there are so many options for getting electronic devices that can be used with Bitcoin - I personally have 2 old PC's for those purposes, but if I didn't, I'd probably buy a Raspberry Pi - at 40-50 they are cheaper than hardware wallets, offer the same level of security when used as cold storage, more flexible, and can be used for a wide variety of purposes. You can install Tails on a USB stick, and do your online trading from it, and it will have much higher level of security than using your main PC and hardware wallet.

Yea, but Tails can also be vulnerable if you using a Persistent volume & a outdated version of the wallet that comes pre-configured and installed with the OS.

I use Tails, but I rarely use the wallet that comes with it, because it is mostly outdated and I do not want to update it on a persistent volume, every time I "clean" boot it.

Consider using virtual pc's too, because you basically have a "clean" OS every time you end a session and fire up a new one.  Wink
legendary
Activity: 3024
Merit: 2148
The average computer must have 50-100 third party programs that could pounce on you at any moment.

I long ago stopped doing anything directly crypto related on anything other than a dedicated machine. I am guilty of continuing to do exchange related things but it's 2FA'd up the arse and I don't put significant sums through any exchange either.

This will never, ever, ever end and will only get sneakier and more creative. It does make me wonder about crypto's future viability when the machines we use seem to be throwing an ever increasing number of weaknesses.

Add to this the fact that many people like to pirate software and media (no judgement here), and you got a recipe for a disaster.

Right now there are so many options for getting electronic devices that can be used with Bitcoin - I personally have 2 old PC's for those purposes, but if I didn't, I'd probably buy a Raspberry Pi - at 40-50 they are cheaper than hardware wallets, offer the same level of security when used as cold storage, more flexible, and can be used for a wide variety of purposes. You can install Tails on a USB stick, and do your online trading from it, and it will have much higher level of security than using your main PC and hardware wallet.
newbie
Activity: 2
Merit: 0
Thanks for the warning

I have read in many places around that media player classic is a way better player in terms of quality. However, vlc is more compatible with different video files (and I love the 125% audio volume function, which is missing on mpc)

More discussions here
Quote
Conclusion

I'm going to call this a victory for MPC-HC. Major kudos to the MPC-HC developer team for finally making it stable (with a nod to LAV package by Nevcairiel) while maintaining its keep-it-simple-stupid philosophy.

I would recommend keeping VLC around and up to date for those times that you want to stream outside of a browser, or loop segments, or play material at different speeds.
https://www.techhive.com/article/2892383/which-is-the-better-free-video-player-mpc-hc-176-vs-vlc-22.html

First of all, thanks for the warning OP. From time to time I get lags and crashes using VLC, so stopped to use it for some time. Seems like it's time to update to the latest. Better safe than sorry.
Second, that's pretty sad that VLC is losing this fight, since MPC can play anything, but it uses more RAM than VLC. I attempted to watch an episode of Macross Frontier (1920x1080 23.976FPS) and while MPC taking up 25% CPU (quad-core) the video lagged every second or two. VLC however uses 7% on the same PC and plays lagless.
legendary
Activity: 2758
Merit: 6830
This means even if I use older version of VLC if the video file I play is not suspicious I am safe from these hacks?
Yeah. Only if the file is malicious. But why risk it? Just update to the latest version.

full member
Activity: 1176
Merit: 162
According to the article,

"All the attacker needs to do is craft a malicious MKV or AVI video file and trick users into playing it using the vulnerable versions of VLC."

So generally, for that hacking thing to work, it will come from a video file as source. Not by using directly the outdated VLC to the prior downloads (in other words new downloads from random sites).

Am I right here?

I just wonder how can they trick the user here. Hopefully, those internet guys out there know how to deal on any download site they will encounter.

And I can't find the latest news about it. Can someone link it to me?

a) Stick with the popular and reputable download sites (especially torrent sites).
b) Use common sense
c) MORE IMPORTANTLY, UPDATE TO THE LATEST VERSION! (Version 3.0.7.1)


I will not stop using VLC. It's the fastest player, at least based on my user experience for 10 years I guess. I'm using a super outdated version of VLC lol (version 2) so I just need to update it.

To those newbies who are confused, better stop using VLC.
This means even if I use older version of VLC if the video file I play is not suspicious I am safe from these hacks?
legendary
Activity: 2590
Merit: 3015
Welt Am Draht
The average computer must have 50-100 third party programs that could pounce on you at any moment.

I long ago stopped doing anything directly crypto related on anything other than a dedicated machine. I am guilty of continuing to do exchange related things but it's 2FA'd up the arse and I don't put significant sums through any exchange either.

This will never, ever, ever end and will only get sneakier and more creative. It does make me wonder about crypto's future viability when the machines we use seem to be throwing an ever increasing number of weaknesses.
legendary
Activity: 1778
Merit: 1009
Degen in the Space
VLC software version 3.0.4 was already considered as a malware last year but fixed. VLC was very known as an open source software so hackers can easily put some malware on it.
Just a fact, VLC was also used by the Government of America, CIA specifically, to spy target people.
jr. member
Activity: 199
Merit: 1
ooh thanks mate for sharing with us this good news and now i have deleted my VLC player. So it it good to delete it?.
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
I'm not sure that I will get answer, but I will ask. How about Ace Player (it's VLC based player)? On my PC it's made using 2.0.5 version of VLC. So, as I understand it's also unsafe. If yes, it's bad because I don't know alternative players to watch Ace Stream on PC.
It possibly has the same vulnerability. I would stop using it and wait until the maintainer (if there is one) talks about this/fix it.

I just googled a bit and found a guide to make it worth with Kodi (legit player/media service). Maybe you can try: https://techiestechguide.com/acestream-kodi/
Yeah, seems it would be best not to use it until new version of player will be released.
And thanks for link. I never used Kodi on PC, so I'm going to try it. In past I tried Acestream with Kodi on Android device, but it was laggy a bit, I hope it will perform better on Windows.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
one of the reasons for the slow spread of cryptocurrency is increased security measures. To keep the coins you have to be paranoid and check everything

Here's a couple options that can stave off that paranoia:

1) Keep your private keys offline. Electrum makes it very easy to sign transactions offline, so you can transact using a watching-only wallet on your online computer without compromising your private keys.

2) Security through isolation. Don't browse the internet, download torrents, open email attachments, etc. on the same machine where you hold private keys or log into exchange accounts. Have a PC that only uses a very limited number of "safe" applications and bookmarked websites.

Cold storage is the best option, but at the very least, you shouldn't be using Bitcoin alongside other reckless and insecure daily activities.
legendary
Activity: 1624
Merit: 2481
Just out of curiosity, we all mostly use pirated Windows by downloading some Windows activators (like KMSpico) and using them to update our key and make this thing work without any issues. But, the question here is, are these activators safe? Can't they have the full data of my PC if they try to hack it through any Trojan or other virus/es when they're able to bypass Windows security to check whether our installed Windows is genuine or not?

Almost all cracked versions of valuable Software (windows, photoshop, etc..) are infected with malware.
If you are using cracked software, you should definitely regard your computer as compromised.

Just because noone stole cryptos from you yet, it doesn't mean that they can't. Chances are high that they have access to your computer and/or it is used for spam mails / any other kind of botnet.


Cracking a software so it is able to run without activation keys etc. is not an easy task. It takes quite some time and they want to be paid for that work.

If you REALLY insist on using cracked software, use linux as main OS and run all of this cracked stuff in a virtual machine if you really can't just use the open source alternatives.
legendary
Activity: 3052
Merit: 1273
What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?

You're safe, but they still could make a copy of your wallet files & browser files (history, cookies, download list, etc.) which could be used to brute-force or social-engineering attack.

And even if these guys are able to copy my wallet files and/or browser files like you said, can't I save my coins by sending all of them out of that wallet into a secure wallet I maybe use in my smartphone or another offline PC?

What if?
The wallet I use is infected itself (just like the case in Electrum)?

Just out of curiosity, we all mostly use pirated Windows by downloading some Windows activators (like KMSpico) and using them to update our key and make this thing work without any issues. But, the question here is, are these activators safe? Can't they have the full data of my PC if they try to hack it through any Trojan or other virus/es when they're able to bypass Windows security to check whether our installed Windows is genuine or not?
legendary
Activity: 1624
Merit: 2481
Just a question though, would the attack be similar to that exploit found on Mozilla browsers a while ago? Not really much into cybersec but would the vulnerability be dormant, or just lay down there until I play a certain type of video associated to the exploit? Kinda curious and want to know more, it wasn't stated anywhere in the article.

The attack itself? No.
The vulnerability itself? No.
The consequences? Yes.

The attack itself with the firefox exploit was that you have to visit a prepared page. That's all you need to do to trigger the exploit.
With the VLC player, you need to download and start a specifically crafted file.

Firefox hat a type conversion vulnerability. This means when handling different types of data (when converting them) one could get firefox to crash.
In VLC you can trigger a heap overflow (writing beyond the space you are allowed to write data to) and/or a double-free (which means you can free up the same space of memory twice, allowing to insert your own data (e.g. code to execute)).


Note, that whenever you can get a program to crash because of an overflow (stack- or heap-) or a double-free, the chances are high that you can also insert own code to be executed.
Which also is the case for firefox and VLC.
hero member
Activity: 3038
Merit: 617
Which versions should I actually use as of now (that are not infected)?

I'm a fan of VLC media player just because of their (formerly 200% but now) 150% extra volume feature in it as well as multi-audio function but after watching this, I believe we are now in an era when almost every single thing that comes from internet (may it be a movie or a .exe executable file itself or almost anything) has the potential to steal our coins and the only way that looks trustworthy is to keep them either in an offline PC or a paper or maybe hardware (like ledger nano s). Even though, I still doubt that hackers have gone so insane before BTC as the only reason that makes them crazy about it is that, BITCOIN IS COMPLETELY DIGITAL and it can be hacked almost easily if they're able to get into a PC of someone.

What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?

Yep rolling your mouse scroll will give us the  more volume. I'm VLC fan as I am a Linux user. I'm not sure if I have to worried about it but I may have to manually update it later on.

Google  authentication  is an extra added  security which is also I'm using to protect my  exchange accounts.
legendary
Activity: 3052
Merit: 1273
Which versions should I actually use as of now (that are not infected)?

I'm a fan of VLC media player just because of their (formerly 200% but now) 150% extra volume feature in it as well as multi-audio function but after watching this, I believe we are now in an era when almost every single thing that comes from internet (may it be a movie or a .exe executable file itself or almost anything) has the potential to steal our coins and the only way that looks trustworthy is to keep them either in an offline PC or a paper or maybe hardware (like ledger nano s). Even though, I still doubt that hackers have gone so insane before BTC as the only reason that makes them crazy about it is that, BITCOIN IS COMPLETELY DIGITAL and it can be hacked almost easily if they're able to get into a PC of someone.

What if?
I don't keep any private key in a PC I've used this media player in, while also having a 2fa enabled in wallet that also asks for a password to get into it?
Am I considered safe in that situation?
hero member
Activity: 2030
Merit: 578
No God or Kings, only BITCOIN.
Thanks for the update OP. Actually I use it always for watching animes whenever I have new ones been downloaded. There are types it pop up for a download but sometimes I ignore it because of low connectivity I have or sometimes whenever it pops up it was just for a moment so I never mind it at all. I'll update mine later.

There is some trick to do it I believe. Suppose a user is looking for an anime episode. Hacker can make a similar file, hosted it on their server or upload it to file-sharing services and then make google ads. Some user who doesn't have favourites website to download anime videos could download that file, even random stranger who googles the episode of that anime could get exposed too.

He can also share that link to various forums, and it won't look suspicious as he's sharing a download link just like any others uploaders.
So far I have my favourite site to download those and far it is an underrated anime website for download but I will stay very cautious at all times.
jr. member
Activity: 153
Merit: 4
I checked my android mobile and also on my ubuntu app store. It's updated to the latest, so no worries here. Thank you for the heads up.

hero member
Activity: 2926
Merit: 657
No dream is too big and no dreamer is too small
Thanks for spreading this news mate, just got it played yesterday and I think just to be safe, I'll shift with another media player.
I'll be sharing this news as well through my social media accounts.
legendary
Activity: 2352
Merit: 6089
bitcoindata.science
Thanks for the warning

I have read in many places around that media player classic is a way better player in terms of quality. However, vlc is more compatible with different video files (and I love the 125% audio volume function, which is missing on mpc)

More discussions here
Quote
Conclusion

I'm going to call this a victory for MPC-HC. Major kudos to the MPC-HC developer team for finally making it stable (with a nod to LAV package by Nevcairiel) while maintaining its keep-it-simple-stupid philosophy.

I would recommend keeping VLC around and up to date for those times that you want to stream outside of a browser, or loop segments, or play material at different speeds.
https://www.techhive.com/article/2892383/which-is-the-better-free-video-player-mpc-hc-176-vs-vlc-22.html
legendary
Activity: 3542
Merit: 1965
Leading Crypto Sports Betting & Casino Platform
Thanks OP, I am running VLC player on a few computers at a small training lab at work and we have been experiencing a lot of problems lately, so I am glad you pointed this out, now we can plug another hole and possibly get rid of some of those problems.  Wink

We are running updated commercial Antivirus software on those computers and it did not flag VLC player as a possible threat or that it needed to be upgraded to the latest version. Damn, attacks are coming from the least expected angles these days!  Angry Angry Angry
legendary
Activity: 2170
Merit: 1789
I just wonder how can they trick the user here. Hopefully, those internet guys out there know how to deal on any download site they will encounter.

There is some trick to do it I believe. Suppose a user is looking for an anime episode. Hacker can make a similar file, hosted it on their server or upload it to file-sharing services and then make google ads. Some user who doesn't have favourites website to download anime videos could download that file, even random stranger who googles the episode of that anime could get exposed too.

He can also share that link to various forums, and it won't look suspicious as he's sharing a download link just like any others uploaders.
legendary
Activity: 3024
Merit: 2148
This is spooky, today even something as unrelated as a videoplayer can have critical bugs that can pwn your system. I've stopped torrenting videos on my computer years ago and only use a tablet for this purpose which doesn't hold any critical information. I highly recommend people to practice security through isolation, when all important operations, like dealing with cryptocurrency, are done in environment completely separate from any potentially risky behavior, which in these days is literally everything else, including simply browsing.
legendary
Activity: 2758
Merit: 6830
-snip-
If you update it, I don’t see any problem on using it (just like I still use Electrum after the phishing exploit - even thi thats more critical).

You can’t be assured you are safe while using the old version. A lot of malicious hackers will try to exploit this by pushing fake files over torrent trackers and other websites. Anyone can rent a seedbox and get his torrent to the top of most trackers vy getting a lot of “fake” seeders. I remember when the GTA V game was released (only for console) and suddenly there were 30GB+ fake torrents everywhere (even on trusted torrent websites). You can’t trust anyone in a decentralized network/platform.

I wouldn’t be surprised if many “regular joes” get infected for not knowing about this and downloading his favorite movie.
legendary
Activity: 3122
Merit: 1398
For support ➡️ help.bc.game
According to the article,

"All the attacker needs to do is craft a malicious MKV or AVI video file and trick users into playing it using the vulnerable versions of VLC."

So generally, for that hacking thing to work, it will come from a video file as source. Not by using directly the outdated VLC to the prior downloads (in other words new downloads from random sites).

Am I right here?

I just wonder how can they trick the user here. Hopefully, those internet guys out there know how to deal on any download site they will encounter.

And I can't find the latest news about it. Can someone link it to me?

a) Stick with the popular and reputable download sites (especially torrent sites).
b) Use common sense
c) MORE IMPORTANTLY, UPDATE TO THE LATEST VERSION! (Version 3.0.7.1)


I will not stop using VLC. It's the fastest player, at least based on my user experience for 10 years I guess. I'm using a super outdated version of VLC lol (version 2) so I just need to update it.

To those newbies who are confused, better stop using VLC.
legendary
Activity: 2758
Merit: 6830
I'm not sure that I will get answer, but I will ask. How about Ace Player (it's VLC based player)? On my PC it's made using 2.0.5 version of VLC. So, as I understand it's also unsafe. If yes, it's bad because I don't know alternative players to watch Ace Stream on PC.
It possibly has the same vulnerability. I would stop using it and wait until the maintainer (if there is one) talks about this/fix it.

I just googled a bit and found a guide to make it worth with Kodi (legit player/media service). Maybe you can try: https://techiestechguide.com/acestream-kodi/
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
I'm not sure that I will get answer, but I will ask. How about Ace Player (it's VLC based player)? On my PC it's made using 2.0.5 version of VLC. So, as I understand it's also unsafe. If yes, it's bad because I don't know alternative players to watch Ace Stream on PC.
legendary
Activity: 3542
Merit: 1352
Cashback 15%
Quote
With more than 3 billion downloads, VLC is a hugely popular open-source media player software that is currently being used by hundreds of millions of users worldwide on all major platforms, including Windows, macOS, Linux, as well as Android and iOS mobile platforms.

Was about to ask which operating systems are compromised/vulnerable to the said vector until I read this. Good thing I let the automatic updates run on my PC earlier this morning before I go and took a run.

Quote
Though the proof-of-concepts demonstrated by both researchers cause a crash, a potential attacker can exploit these vulnerabilities to achieve arbitrary code execution with the same privileges as of the target user on the system.

Just a question though, would the attack be similar to that exploit found on Mozilla browsers a while ago? Not really much into cybersec but would the vulnerability be dormant, or just lay down there until I play a certain type of video associated to the exploit? Kinda curious and want to know more, it wasn't stated anywhere in the article.

legendary
Activity: 2240
Merit: 3150
₿uy / $ell ..oeleo ;(
And another vulnerability found, no one is save.

I know many people use it that's why I post it here.
Keep your coins save.

Read below.

 
Quote
If you use VLC media player on your computer and haven't updated it recently, don't you even dare to play any untrusted, randomly downloaded video file on it.
Doing so could allow hackers to remotely take full control over your computer system.
That's because VLC media player software versions prior to 3.0.7 contain two high-risk security vulnerabilities, besides many other medium- and low-severity security flaws, that could potentially lead to arbitrary code execution attacks.
Source

Spread the news.
Jump to: