In July, several reputable websites reported a critical security flaw in VLC, a popular open-source, multiplatform media-player application. Readers were urged to uninstall VLC before they got hacked. The problem is, the vulnerability did not exist—at least, not in the way the sites reported.
The stories followed a disclosure made by a German security agency that claimed VLC had a critical remote code execution (RCE) exploit. This type of vulnerability allows attackers to perform arbitrary commands on compromised machines, such as installing and modifying applications, running malicious payloads, and stealing information.
The researchers filed the report with the Mitre Corp., a US government–funded research organization that tracks common vulnerabilities and exposures (CVEs). The supposed exploit was finally listed on the National Vulnerability Database as CVE-2019-13615 with a vulnerability score of 9.8, classified as “critical.”
Shortly after, however, VLC developer VideoLAN clarified that the bug was in a third-party library that had already been patched. A Twitter clash ensued.
About the “security issue” on #VLC : VLC is not vulnerable.
tl;dr: the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago.
VLC since version 3.0.3 has the correct version shipped, and @MITREcorp did not even check their claim.
— VideoLAN (@videolan) July 24, 2019
The episode—which caused panic, frustration, and lengthy arguments on social media—exemplifies the broken state of vulnerability disclosure. From discovery to publication, software vulnerabilities involve numerous organizations and individuals, each with their own challenges. Getting them all on the same page can be a herculean task.
The Need for Responsible Reporting
“In infosec, everything is about getting clicks. We’re at the level of tabloids,” says VideoLAN President Jean-Baptiste Kempf.
Since ad impressions are the main source of income for online publications, reporters are under pressure to write stories that attract more viewers, which can result in clickbait. Being the first to break the news also garners more views, which pushes some reporters to write stories without corroborating details. And in the case of the VLC vulnerability, most reporters published their stories without contacting the developers.
To be fair, there are plenty of sensational stories in other sectors of the tech industry. But Kempf points out that cybersecurity issues are different.
“If there’s a clickbait article about blockchain, you don’t care. If it’s about security, it’s about losing your data and getting hacked. People care more about security, therefore cybersecurity reporters should be more careful than others, because the impact might be bigger,” Kempf says.
Following VideoLAN’s clarification, most tech publications updated their stories. The NVD record was also updated, reducing the severity score and adding mention of the vulnerable third-party library. But updates rarely get the same exposure as the original article.
Security Researchers and Developers Need to Talk
Kempf also points out that security researchers often overstate their reports to draw attention to their work. “In the VLC security issue, the researcher asked [Mitre] for a CVE and got it at the number 9.8,” he says, pointing out that the last Linux kernel vulnerability that allowed attackers to compromise the system just by sending a packet to a Linux server in the cloud did not get a 9.8 score.
He also stresses that the researchers did not reach out to VLC to verify their findings before making them public. Many security experts agree that this kind of behavior is unethical and harmful.
“While the intent of the [ethical] hackers was not to do harm, the execution of the disclosure created unnecessary concern in the marketplace and a rather large PR issue for VideoLAN,” says Julia Kanouse, CEO of the Illinois Technology Association. “For ethical hacking to be considered truly ‘ethical,’ it is important for the hacker to follow some kind of code of conduct.”
Researchers must understand the characteristics of the target organization’s business, system, and network, Kanouse says. In the case of the VLC vulnerability report, the researchers conducted their experiments with an outdated version of the vulnerable library.
Also, researchers must remain fully transparent and in contact with the developers before, during, and after their tests. “Transparency and early disclosure to VideoLAN would have allowed them to proactively address the issue and keep what ended up being a non-issue out of the public eye,” Kanouse says.
The Challenge of Moderating CVEs
Kempf also complains that Mitre, which runs the CVE program, didn’t contact them before making the disclosure public. But according to Kurt Seifried, Chief Blockchain Officer and Director of Special Projects at the CloudSecurityAlliance, verifying every single CVE report is virtually impossible.
“I would point out that Mitre didn’t create this vulnerability report; the researcher did. Also, CVE is a claims-based system—you can’t possibly verify most of this stuff in a reasonable amount of time,” says Seifried, who is also a CVE editorial board member at Mitre
“The bad guys share information quickly. The good guys, we’re pretty terrible at sharing information timely, if at all,” he says.
Seifried also notes that the damage of disclosure is often exaggerated. “Has anyone articulated what the downside of this all was? VLC is annoyed, sure, and some people probably uninstalled it based on this news… But what’s the actual harm?” he asks. “Was it a mess? Yes. Was there harm? I don’t know. Everyone has opinions on this stuff. Nobody has any data.”