More lies from Secunia

9 July 2013

This is a straight answer from me about the blogpost from Secunia.

I will not comment much about the methods of this company or the fears they try to push onto their users. They are using the same tactics of other companies of this security business. I will therefore go straight to the point.

SA51464

Intro

A crashing PoC against VLC 2.0.4 was sent on the full disclosure mailing list on the December 7th.

You can get the POC here.

Note that this is a crash for swf, a format that VLC was never officially able to open (no extensions assignation, not present in the open dialog,…) and one cannot open it automatically or by mistake.

You can see the stacktrace on our bugtracker.

The crash is in libavformat/libavcodec libraries, from the FFmpeg/libav projects. Not at all in VLC.

FFmpeg/libav are used by thousands of projects, including your TV, your smartphone, your DVD player and quite likely your browser. The list of projects includes Chrome, all Smart TVs from Samsung and LG, all media players codecs packs, all media players on Linux, most video editors, every video converter, most DVD players that play DivX or MKV files, etc… The normal thing to do is to report those kind of issues upstream, of course. This is what responsible security researchers do, because the issues are then fixed in all software… But that does not include Secunia.

Fix

I provided a fix that you can see here on December 11th.

As you see, this IS NOT the same fix that Secunia shows on their blog and claim we used: FFmpeg patch.

This is the first lie of Secunia: they don’t even look at our codebase, while we are open source!

Then, Secunia does its advisory on the December 12th : ie AFTER. And calls it unpatched, while a patch is ready and public, as you could see above. This is the second lie of Secunia: they don’t even check their advisories.

Release

I did the release on the 14th December of VLC 2.0.5. 7 days after the full-disclosure POC. That’s quite nice for a hobbyists project, no?

You can download the VLC 2.0.5 for Windows here.

Try it yourself! You have the POC, you have the VLC release 2.0.5. It does not crash at all. I just retested on Windows 8.

Aftermath

But they refused to close their advisory: When the VLC team released version 2.0.5, which claimed to fix SA51464, Secunia Research contacted the VLC security team and informed them about the incorrect patch. However, VLC apparently disregarded our mail.

This is the third lie of Secunia: the PoC was not crashing at all.

Moreover, I have no idea what mail they are speaking about: I have received no mail from Secunia in December, January or February. That means the next 3 months after their advisory was out, and they did not change anything in it, nor tried to communicate, while we tried, people in their comments and forum did, repeatedly. Who is failing at doing coordination between vendors and researchers ?

The mail from Secunia in March that they quoted even mentions: “Following my line of argument I hold the view that SA51464 has to be seen as fixed with VLC 2.0.5.”

Then, they said, again, in their blogpost: However, they failed to understand the root cause and provided a patch which did not fix the core issue.

This is, once again, wrong: we saw the crash they gave us and we fixed it.

Seriously, try it yourself with VLC 2.0.5.

You can also download VLC 2.0.6 for Windows. You can also download VLC 2.0.7 for Windows.

You will see that this is fixed in all those versions.

The next day we re-visited the issue, in version 2.0.6. However, since we could not prove exploitation, we decided to change the status to “Patched”. concluded that the issue is exploitable even in the newly released version 2.0.7.

This is the fourth lie of Secunia. No regression post 2.0.5 on this particular file.

I seriously have no idea what they mean. The thing seems to be so confused on their side that they already changed 3 times the status of this advisory.

After that, I decided that I could not do much against Secunia, except being very annoyed by all this situation.

Secunia and MKV: SA52956

Then comes more WTF from Secunia.

Someone came to Secunia with a supposedly PoC on MKV. This PoC crashes VLC, indeed, but does nothing more.

We thought that the issue was an uncaught exception in C++ in the MKV demuxer. We asked for some times, to fix the issue. We did a fix and committed the issue here on April 27th. Only 4 days after. We told Secunia about this fix.

As you can see, this is not an integer overflow error, but an uncaught exception and I doubt that it is exploitable. This uncaught exception makes VLC abort, not execute random code, on my Linux 64bits machine.

This was told to Secunia on several occasions, including on the phone. They never came with a more complete explanation, nor with an actual exploit and refused to tell us more.

EDIT: Vupen seems to say this is exploitable with some “voodoo” code. I don’t have more details about that.

Yet to me, Secunia does not even stand by what they claim is their core business, aka “putting vendors and researcher in contact” and refuses to discuss technical points. They just say: “no this is not good”, and then defame us…

Secunia attacking VideoLAN on Twitter

Then, on May 22nd, Secunia started lying and misguiding our users as you can see on Twitter, while VLC did not appear on the US report… Selling their reports on accusations of not patching securities issues in VLC… When we mentioned the mistake, they did acknowledge but they did not even apologize.

As you can imagine, we were quite pissed against Secunia….

This is exactly what I call defamation.

EDIT: But, you know what, they re-edited their report on May 29th to make VLC show on the US report… Look at the date on the right-end corner, it is not the 22nd… Why else would they say “You are right”?

What kind of security company edits their reports afterwards to change the results? If they knew that they were clean, why doing that?

MKV issue fixed

At end of May, we were contacted again about the MKV situation, and we said that this was a crash, not an exploitable security issue.

We gave them the revision of the patch in which VLC had the crash fixed, and a proper build, but they kept saying it was “unpatched”, without explaining anything…

They decided to publish their advisory, while a version fixing VLC was published (we publish nightly builds every night), a very simple workaround for VLC 2.0.7 existed (remove the libmkv_plugin.dll) and with a PoC that was crashing VLC but not exploiting it.

Moreover, they refused to hold the advisory until VLC 2.1.0 was out, and published it anyway.

You can try a VLC build in which it is fixed…

Final insults and attack

Finally, today they blog about us saying:

That VLC apparently doesn’t think vulnerabilities in third party libraries, for example FFmpeg (which is statically linked), are issues they would need to warn their users about, but only vulnerabilities in the “main” VLC code, is obviously not the right thing to do, and gives a false image on the security status of VLC.

This is so patently untrue it is not funny. Can you explain this patch or that one?

And we don’t statically link on all platforms. Moreover, why not sending the issue to FFmpeg?

There is a lot of code in VLC, and they are probably a lot of security issues in VLC, noone is denying that, but the way Secunia deals with this was outrageous and I think I have all the rights to be pissed and claim that they do not work “with vendors”. It might be easier to attack a group of hobbyists than big companies.

Jean-Baptiste Kempf

Comments

  1. On 29 May 29290, 7:00 by Jean-Baptiste Kempf

    @boxofrox: they’ve been receiving this exact link a dozen of times, and they’ve been pointed to it already. This is just bad faith from them.

  2. On 26 May 26260, 10:51 by DrTeeth

    VLC has got nothing to prove in my eyes. They are riding high on this.

  3. On 14 May 14140, 8:40 by boxofrox

    “I provided a fix that you can see here on December 11th.

    As you see, this IS NOT the same fix that Secunia shows on their blog and claim we used: FFmpeg patch.”

    The bug report[1] lists a single patch in the comments, which Secunia shows in their blog.

    I don’t consider this a lie. I consider this a misunderstanding since your bug tracker fails to accurately record the actions taken to solve the issue.

    You complain that Secunia is too lazy to search through the VLC code repository for the exact fix when you could have resolved this portion of the conflict by adding your patch link to the bug report instead of this blog.

    [1] [https://trac.videolan.org/vlc/…](1] [https://trac.videolan.org/vlc/ticket/7860 “1] [https://trac.videolan.org/vlc/ticket/7860”)

  4. On 11 May 11110, 1:54 by iive

    Secunia claim that according to their analysis, the SA51464 is caused by use-after-free. That the same bug is also triggered by an .avi file.

    Unfortunately they do not share their analysis, they do not provide fix/patch or at least a vague hints where the “real” bug might be. All they provide is a crash report and POC.

    I would assume that their POC doesn’t cause any problems on VLC developer machines (anymore), so they cannot trace the “real” bug.

    Everybody would be happy if Secunia stop their games of “guess what I think” and do a full disclosure of their analysis.

  5. On 11 May 11110, 12:46 by Sven Kemper

    You also not mentioned that secunia sell bugs of other researcher without asking them after a publication in the csi software ^^

  6. On 10 May 10100, 11:37 by .m

    @norbert: These security researcher types help make our software better. It’s much easier to fix problems when we know about them. Ignoring them only harms you and your software.

    And really, there’s people in any profession who take themselves too seriously.

    It’s good to see this response regarding VLC, I do hope that Secunia issues an apology for the way they’ve handled this.

  7. On 10 May 10100, 6:15 by Norbert

    I’m really getting fed up with those ‘security researcher’ types. They don’t do anything constructive - all they do is looking for bugs and waste people’s time.

    And then they take themselves far too important: LOOK WE FOUND A SECURITY BUG! DROP EVERYTHING, FIX IT AND TELL THE WORLD HOW GREAT WE WARE. Because we are security RESEARCHES and more important than GOD/DOG HIMSELF!

    We software developers who create value should take a stand against those trolls and ignore them.

  8. On 10 May 10100, 5:42 by Jean-Baptiste Kempf

    @alex: show me the exploit then. And show me how it works on 2.1.0-pre1. Please do…

    About constantly patching, VLC is like all the other software: you have to deal with it. It’s not fun for anyone.

    Not to mention, that most of those security issues are in ALL the video players or codecs…

  9. On 10 May 10100, 5:28 by cabfile

    Well, I lost respect and trust in Secunia many many years ago. I think you are doing a gret job, and VLC is one of the best media player I’ve ever seen.

  10. On 10 May 10100, 4:42 by alex

    I don’t know who is more wrong between Secunia and VLC, but according to VUPEN the MKV is exploitable.

    But let’s face it: I’m fed up patching VLC on a regular basis due to recurring security issues. And this blog post and legal threats against Secunia eroded further my trust toward the project and its maintainers.

    So bye VLC, I loved you back in 2005 but the world changed…

  11. On 9 May 9090, 10:56 by w00t

    You forget to mention most important thing: If Secunia Research is professional, why don’t they provide you with working exploit? (in example EIP = 0x41414141) I’m sure company like VUPEN would do just that to prove they point. Isn’t worth to point out on other sites? (e.g. netsec)

    I really like this https://twitter.com/Secunia/status/… you can spot _two_ lies - first they don’t find ANY vuln, second their lying about timeframe.

News

All

Conferences

All