News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • VLC update issue in the UK

    Posted on Rick Corbett Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories VLC update issue in the UK

    Viewing 10 reply threads
    • Author
      Posts
      • #1834590 Reply
        Rick Corbett
        AskWoody_MVP

        I went to use VLC media player 3.0.6 and this update notice popped up:

        vlc_update_01

        Clicking on the Yes button led to this warning about an insecure site:

        vlc_update_02

        The certificate details look OK:

        vlc_update_03

        Note that this is an issue with the mirror service in the UK (run by the University of Kent) not with VLC itself. There is nothing in VLC’s preferences to only use direct downloads, not a mirror service.

        However, just in case, I went to the VLC support forum. The certificate issue with the mirror service isn’t mentioned .

        If you want to update anyway, download the update directly from VLC itself:

        64-bit direct download links for Windows:
        http://download.videolan.org/pub/videolan/vlc/3.0.7/win64/

        32-bit direct download links for Windows:
        http://download.videolan.org/pub/videolan/vlc/3.0.7/win32/

        Direct download links for other platforms:
        http://download.videolan.org/pub/videolan/vlc/3.0.7/

        Note, however, that there are multiple posts in the VLC support forum about the Windows version of 3.0.7, mainly about issues with green artefacts when playing MKV and MP4 files.

        I decided not to bother updating. ๐Ÿ™‚

        Hope this helps…

        Attachments:
        3 users thanked author for this post.
      • #1835575 Reply
        RetiredGeek
        AskWoody MVP

        Rick,

        I’ve hade 3.0.7 loaded for a couple of days and have not had a problem with it. I just went and played several mp4 files through it with out issue. Unfortunately, I don’t have any mkv files to test.

        FYI: Win 10 – 1809.

        HTH ๐Ÿ˜Ž

        May the Forces of good computing be with you!

        RG

        PowerShell & VBA Rule!
        Computer Specs

        2 users thanked author for this post.
      • #1835716 Reply
        Berton
        AskWoody_MVP

        I also am having no issues with the new version on Windows, probably will get it on Linux Mint next time I choose to update.

        Before you wonder "Am I doing things right," ask "Am I doing the right things?"
        1 user thanked author for this post.
      • #1836220 Reply
        Alex5723
        AskWoody Plus

        Just tested a DD5.1 HEVC x265.mkv video using Portable VLC 3.07. Played flawlessly.
        The same with x264.mkv video.

        • This reply was modified 11 months, 4 weeks ago by Alex5723.
      • #1836235 Reply
        BATcher
        AskWoody_MVP

        Rick

        I’ve just started VLC, and received the first screen you show.ย  The new version then downloaded and installed entirely successfully, and is playing prettily at present.

        Of course I have no idea which mirror VLC v3.0.7 was downloaded from, but being in the UK it is fairly likely that the “University ofย  Kent at Canterbury” facility was used – I often get Mint updates from there.

        I don’t know whether or not this helps in any way!

        BATcher

        Data is not the plural of anecdote...

      • #1836695 Reply
        Rick Corbett
        AskWoody_MVP

        After my first post I did some testing using the direct download link and have experienced no artefacts so far using both MP4 and MKV formats.

        Then I went to carry out an upgrade of VLC 3.0.6 in a VM using the University of Kent’s http://www.mirrorservice.org, i.e. by ignoring the insecure site warning. It looks like VLC updates in Win 10 use a direct download from VLC itself whilst VLC running in Win 7 uses the University of Kent’s mirror service.

        vlc_update_w10

        Back on my Win 7 PC I used SecurityXploded’s Hash Compare 3 to compare the 64-bit executables from VLC (http://download.videolan.org/pub/videolan/vlc/3.0.7/win64/) and from the mirror service (http://www.mirrorservice.org/sites/videolan.org/vlc/3.0.7/win64/)… and compared them to the SHA256 hash posted on VLC. The hashes are identical.

        vlc_hashes

        As a result I’m confident that the ‘insecure site’ warning is a false positive caused by the site’s certificate and have emailed help@mirrorservice.org to let the university know of the issue (with a link to this post).

        Attachments:
        5 users thanked author for this post.
      • #1838053 Reply
        Alex5723
        AskWoody Plus

        New VLC 3.0.7.1

        https://download.videolan.org/pub/videolan/vlc/3.0.7.1

        2 users thanked author for this post.
        • #1838900 Reply
          Bill C.
          AskWoody Plus

          I just tried a download from within Vidowlan 3.07 and when I went to authorize the install, Malwarebytes blocked and quarantined it as an Exploit.

          I am in the US.

          • #1838901 Reply
            Rick Corbett
            AskWoody_MVP

            Did you happen to notice whether the update came from get.videolan.org or was it from somewhere else? Does MBAM say what type of exploit?

            Perhaps restore the installer from Quarantine then check it using VirusTotal?

            Hope this helps…

            1 user thanked author for this post.
            • #1838956 Reply
              Bill C.
              AskWoody Plus

              This was the Exploit: Malware.Exploit.Agent.Generic

              Affected Application: VLC Player
              Protection Layer: Application Behavior Protection
              Protection Technique: Exploit payload file blocked
              File Name: C:\Users\…\AppData\Local\Temp\vlc-3.0.7.1-win64.exe

              I deleted the quarantined file.

              I subsequently downloaded a zipfile from the VLC website that passed the MD5 hash check and the entire contents passed a MBAM scan, however that was not an installer version. I am going to try a direct download from videolan.org and check virustotal and scan it.

              UPDATE: The downloaded installer file I just downloaded from videolan.org for win64 checked clean with Virustotal and also MBAM scans. Only the one downloaded via the updater was blocked.

              This is my bad as I previously always go to the site and manually download files and do checks. This time, I used softwares built-in updater and got a warning. Lesson learned.

              • This reply was modified 11 months, 4 weeks ago by Bill C..
      • #1838326 Reply
        Rick Corbett
        AskWoody_MVP

        I received a very helpful email from help@mirrorservice.org in reply:

        The message says the certificate is not trusted which means the root
        certificate is missing from whatever list that VLC is using. Maybe it
        has its own internal one, or maybe it’s an OS level one, but in any case
        the root certificate for the certificate provider we use is obviously
        not there.

        I don’t think there’s a lot we can do about this. It’s a system based on
        trust, and we use a widely used provider so it should be supported
        everywhere. We also haven’t had any other reports (I think recall seeing
        it for VLC before, though) of problems. So I’m inclined to suggest this
        is VLC specific problem.

        If you’re worried just download the latest version directly and install
        it, rather than using the builtin updater.

        This got me thinking so I installed VLC 3.0.6 in a Windows 7 Home Premium VM and tried to update using its internal updater.

        The first attempt produced an error:

        vlc_update_w7vm1

        However, a second attempt was successful (and downloaded v3.0.7.1 from get.videolan.org).

        I’m inclined to think it was just an issue with my main Win 7 PC. I’m not going to do any more digging into the cause now I know I’m the only one who had an issue with the University of Kent’s mirror service. (Kudos to the support team there for the informative and speedy response to my email.)

        Hope this helps…

        Attachments:
      • #1838840 Reply
        Rick Corbett
        AskWoody_MVP

        A final post on this topic… I had another email from the University of Kent’s mirror service asking if the PC in question was up-to-date. Well, nearly so… I was aware that MS had released an update to the root certificates at the beginning of April so I had installed the security updates at the time but not updated since.

        However, a Google search for win 7 certificate store turned up a TechNet article – Trust root certificate store is not updating – about this April update failing… so it was apparently re-issued. I checked Windows Update (mine’s set to manual, not automatic) and ran in the 2 available security updates (KB4474419 and KB4503292), restarted then tried to update from VLC 3.0.7 to 3.0.7.1 using its internal updater. Success – no errors! ๐Ÿ™‚

        2 users thanked author for this post.
      • #1838959 Reply
        PKCano
        Da Boss

        I have been updating VLC on several platforms (MacOS, Win7, Win8.1, Win10 1803, 1809, Insider) today using the “Check for updates” in the VLC menu. They are coming from videolan.org – running against Bitdefender Free, TrendMicro Premium and Malwarebytes. Have had no argument from any of them. I’m in the US.

        1 user thanked author for this post.
      • #1839825 Reply
        anonymous
        Guest

        ? says:

        using VLC 2.2.2-5ubuntu0.16.04.4 weatherwax on ubuntu from universe repository. plays DVD’s and iTunes music files with no problems. any pressing need to update?

        1 user thanked author for this post.
        • #1839829 Reply
          Paul T
          AskWoody MVP

          The security issue is listed here. It’s up to you to decide if you need to update, but I would.

          cheers, Paul

          1 user thanked author for this post.
    Viewing 10 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: VLC update issue in the UK

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.