VLC 0.8.6a has been released – it is a security update to VLC 0.8.6 to fix a vulnerability that could lead to arbitrary code execution. The bug was reported publicly two days ago, as part of the controversial Month of Apple Bugs pseudo-project which aims to oust a new, unreported security bug affecting OS X every day. However, the VLC bug affects all VLC users, including those on Windows, so everyone needs to upgrade – it isn’t just an OS X bug.
While I’m happy to hear that an update to VLC has been released so soon after the issue came to light, and that security flaws in OS X are being found and reported, I really deplore the decision to publish full details with exploit code on the internet. This means that these exploits are now public, and any old Johnny Hacker can come along and write a virus or a trojan that takes advantage of the flaws. Considering that most Mac users do not use a virus scanner – up until now there’s been no real need – that puts a lot of users at risk.
The researchers would have been far better off publishing very limited information about the flaw – the application affected and a brief description of it – and giving the full details directly to the vendor of the software to allow them to fix it without putting users at risk. Most proper security researchers follow this idea of ‘responsible disclosure’ so it is a shame that these guys haven’t done the same; instead, they seem to want to milk the publicity that comes with giving all of the details and giving virus writers a head start.
Finding flaws in software applications is good, because the vendors can fix them to make them safer. Publishing those flaws for all and sundry to see is not good, because that gives the hackers a chance to get there first.