Tweet
A popular open source video player software has found itself in the middle of a international scandal involving the CIA, spying and Wikileaks.
This week, Wikileaks controversially a series of leaked documents, dubbed "Vault 7". The documents are believed to be sourced, via a leak, directly from the CIA, and documents the agency's impressive list of digital weaponry, ranging from software exploits to the deliberate use of malware, to spy on the agency's targets.
Among the vast amount of information revealed by "Vault 7" was an interesting note regarding a popular video player, officially known as the VideoLAN Client, but more commonly known as the VLC player.
It has become apparent that an older version of the open source VLC software has indeed been used as a spying tool, by attaching a malware payload to the freely available software that secretly scans the target's computer while the target is using the software to play back a video.
This revelation has forced the makers of the software to release an official statement, to try and explain the situation.
The makers of the software was keen to stress that the software does not contain a remotely exploitable vulnerability, nor is the vulnerability present in the most recent version of the software.
The statement also confirms that, based on the technique used by the CIA, physical access to the target's computer as well as the "execution of the tool allegedly developed by the CIA" is required for spying to take place.
The VideoLAN team wants to reassure users that the team takes security seriously and has already undertaken actions to ensure vulnerabilities such as this cannot be exploited in the future.
"Security of our users data is of prime importance. As a consequence, we have taken countermeasures to prevent malware from hiding their activity behind VLC media player. The used attack vector modification will not be possible starting from the next minor release, 2.2.5. We are also working on hardening the VLC security for the next major releases (3.x.x)," the statement read.
This week, Wikileaks controversially a series of leaked documents, dubbed "Vault 7". The documents are believed to be sourced, via a leak, directly from the CIA, and documents the agency's impressive list of digital weaponry, ranging from software exploits to the deliberate use of malware, to spy on the agency's targets.
Among the vast amount of information revealed by "Vault 7" was an interesting note regarding a popular video player, officially known as the VideoLAN Client, but more commonly known as the VLC player.
It has become apparent that an older version of the open source VLC software has indeed been used as a spying tool, by attaching a malware payload to the freely available software that secretly scans the target's computer while the target is using the software to play back a video.
This revelation has forced the makers of the software to release an official statement, to try and explain the situation.
The makers of the software was keen to stress that the software does not contain a remotely exploitable vulnerability, nor is the vulnerability present in the most recent version of the software.
The statement also confirms that, based on the technique used by the CIA, physical access to the target's computer as well as the "execution of the tool allegedly developed by the CIA" is required for spying to take place.
The VideoLAN team wants to reassure users that the team takes security seriously and has already undertaken actions to ensure vulnerabilities such as this cannot be exploited in the future.
"Security of our users data is of prime importance. As a consequence, we have taken countermeasures to prevent malware from hiding their activity behind VLC media player. The used attack vector modification will not be possible starting from the next minor release, 2.2.5. We are also working on hardening the VLC security for the next major releases (3.x.x)," the statement read.