Discussion in 'Article Discussion' started by bit-tech, 22 Jul 2019.
Article updated: the flaw is not in VLC Player, but in a third-party library - and even then only in versions shipped prior to late April 2018, which are unfortunately still included by default in selected Long Term Support Linux distributions.
So a correct - though much less clickbaity - article title might be "Older versions of VLC have vulnerability". And the article might helpfully tell us how to check the date on the vulnerable module (which I don't find in my Windows installation).
I don't - knowingly - do clickbait. Never have. I don't see any page view metrics, I'm not paid based on said metrics, and it literally doesn't make a difference to me whether one person reads a story or a million (though it probably does to The Powers That Be.) The headline was accurate to the information available at the time; it has been updated following the release of new information.
If you're running Windows, you don't need to check; the library is bundled and has been the updated version since VLC 3.0.3.
Gareth and click-bait don't go in the same sentance. The man works hard to report the news accurately, typos not withstanding. Just be sure when correcting him that you are, in fact, correct. Or be prepared to get schooled. Or don't. Him schooling people makes for entertaining reading
The title is "VLC Player hit by buffer overflow vulnerability in third-party library". I of course thought that my VLC player is vulnerable and so read the article immediately. Turns out that only old installations are at risk. And it didn't tell me what to look for in Windows.
Most readers here will have the same experience: needless spin-up; and then no directly usable info. Hence my original comment.
It reminds me of the WinRAR vulnerability earlier this year - every website proclaimed it but not a single one even mentioned that you could and should simply delete unacev2.dll. They all went on about code age and ownership, patches, and updates, and how unlikely those were etc etc. Probably half of the readers - all of whom could easily have eliminated the risk - ultimately did nothing because it seemed too complicated.
So I have no patience for malware announcements that are anything like that. I want to know quickly (1) does it apply to my PC; (2) how can I tell if I'm actually at risk, and (3) what is the smartest thing to do about it. This article, even as edited, falls short on making any of these clear.
This news article, such as a news article is and should be, provides news. It's not a technical support article. You're perhaps right about the title, but that's about as far as the changes need to go.
That's the updated title, yes. It didn't say "in third party library" originally because that's what the story was two days ago when I wrote it. It isn't any more, because new information has come to light and I've updated the story. The forum thread still has the old title, but the article doesn't. Click it, see for yourself. Hell, I'll update the forum thread title too, if you like.
That's not the case: read the article again. Even the most up-to-date VLC is vulnerable if you're using the vulnerable library version - but that information wasn't available two days ago. According the the information that was available two days ago, all versions up to the latest beta were vulnerable. The article was updated *within an hour* of VideoLAN declaring that not to be the case and pointing to the third-party library as the culprit.
Incidentally, I don't get paid for updating existing articles. I'm contracted to do three 250-word news articles per day. Every single word over that, every update, every vendor comment, every forum post comes from my love of the community here. And my desire to have the last word in any debate.
Mostly my desire to have the last word in any debate.
Separate names with a comma.