Well, regardless of exploitability, this attitude just destroyed any confidence I had in VLC's updater being secure. Seriously, WTF. https://trac.videolan.org/vlc/ticket/21737 …
-
VLC updater forbids downgrades.
Does it do it securely? Even if it does (big if), nothing can forbid upgrades to a vulnerable-not-latest version. That is fixed by HTTPS.
-
-
No idea, and yes this is a valid point. Note that HTTPS upgrades are being worked on :https://twitter.com/videolan/status/1086667525998424066 …
-
IMHO it would be higher priority to work on sandboxing every bit of demux/decode/parse. But it's even more complex.
- Show replies
New conversation -
-
-
It is not fixed by HTTPS. It ALSO requires changes to the update mechanism to achieve this. Which requires the transition to a new update model, which is not simple.
-
Of course it's fixed by HTTPS. If you use HTTPS, I can't serve any updates at all without compromising your server. I can only block the process altogether, which is not upgrade-to-vulnerable.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.