News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • VLC update issue in the UK

    Posted on Rick Corbett Comment on the AskWoody Lounge

    Home Forums Code Red – Security/Privacy advisories VLC update issue in the UK

    This topic contains 15 replies, has 9 voices, and was last updated by  Paul T 4 months, 1 week ago.

    • Author
      Posts
    • #1834590 Reply

      Rick Corbett
      AskWoody_MVP

      I went to use VLC media player 3.0.6 and this update notice popped up:

      vlc_update_01

      Clicking on the Yes button led to this warning about an insecure site:

      vlc_update_02

      The certificate details look OK:

      vlc_update_03

      Note that this is an issue with the mirror service in the UK (run by the University of Kent) not with VLC itself. There is nothing in VLC’s preferences to only use direct downloads, not a mirror service.

      However, just in case, I went to the VLC support forum. The certificate issue with the mirror service isn’t mentioned .

      If you want to update anyway, download the update directly from VLC itself:

      64-bit direct download links for Windows:
      http://download.videolan.org/pub/videolan/vlc/3.0.7/win64/

      32-bit direct download links for Windows:
      http://download.videolan.org/pub/videolan/vlc/3.0.7/win32/

      Direct download links for other platforms:
      http://download.videolan.org/pub/videolan/vlc/3.0.7/

      Note, however, that there are multiple posts in the VLC support forum about the Windows version of 3.0.7, mainly about issues with green artefacts when playing MKV and MP4 files.

      I decided not to bother updating. 🙂

      Hope this helps…

      Attachments:
      3 users thanked author for this post.
    • #1835575 Reply

      RetiredGeek
      AskWoody MVP

      Rick,

      I’ve hade 3.0.7 loaded for a couple of days and have not had a problem with it. I just went and played several mp4 files through it with out issue. Unfortunately, I don’t have any mkv files to test.

      FYI: Win 10 – 1809.

      HTH 😎

      May the Forces of good computing be with you!

      RG

      PowerShell & VBA Rule!
      Computer Specs

      2 users thanked author for this post.
    • #1835716 Reply

      Berton
      AskWoody_MVP

      I also am having no issues with the new version on Windows, probably will get it on Linux Mint next time I choose to update.

      Before you wonder "Am I doing things right," ask "Am I doing the right things?"
      1 user thanked author for this post.
    • #1836220 Reply

      Alex5723
      AskWoody Plus

      Just tested a DD5.1 HEVC x265.mkv video using Portable VLC 3.07. Played flawlessly.
      The same with x264.mkv video.

      • This reply was modified 4 months, 1 week ago by  Alex5723.
    • #1836235 Reply

      BATcher
      AskWoody_MVP

      Rick

      I’ve just started VLC, and received the first screen you show.  The new version then downloaded and installed entirely successfully, and is playing prettily at present.

      Of course I have no idea which mirror VLC v3.0.7 was downloaded from, but being in the UK it is fairly likely that the “University of  Kent at Canterbury” facility was used – I often get Mint updates from there.

      I don’t know whether or not this helps in any way!

      BATcher
    • #1836695 Reply

      Rick Corbett
      AskWoody_MVP

      After my first post I did some testing using the direct download link and have experienced no artefacts so far using both MP4 and MKV formats.

      Then I went to carry out an upgrade of VLC 3.0.6 in a VM using the University of Kent’s http://www.mirrorservice.org, i.e. by ignoring the insecure site warning. It looks like VLC updates in Win 10 use a direct download from VLC itself whilst VLC running in Win 7 uses the University of Kent’s mirror service.

      vlc_update_w10

      Back on my Win 7 PC I used SecurityXploded’s Hash Compare 3 to compare the 64-bit executables from VLC (http://download.videolan.org/pub/videolan/vlc/3.0.7/win64/) and from the mirror service (http://www.mirrorservice.org/sites/videolan.org/vlc/3.0.7/win64/)… and compared them to the SHA256 hash posted on VLC. The hashes are identical.

      vlc_hashes

      As a result I’m confident that the ‘insecure site’ warning is a false positive caused by the site’s certificate and have emailed help@mirrorservice.org to let the university know of the issue (with a link to this post).

      Attachments:
      5 users thanked author for this post.
    • #1838053 Reply

      Alex5723
      AskWoody Plus

      New VLC 3.0.7.1

      https://download.videolan.org/pub/videolan/vlc/3.0.7.1

      2 users thanked author for this post.
      • #1838900 Reply

        Bill C.
        AskWoody Plus

        I just tried a download from within Vidowlan 3.07 and when I went to authorize the install, Malwarebytes blocked and quarantined it as an Exploit.

        I am in the US.

        • #1838901 Reply

          Rick Corbett
          AskWoody_MVP

          Did you happen to notice whether the update came from get.videolan.org or was it from somewhere else? Does MBAM say what type of exploit?

          Perhaps restore the installer from Quarantine then check it using VirusTotal?

          Hope this helps…

          1 user thanked author for this post.
          • #1838956 Reply

            Bill C.
            AskWoody Plus

            This was the Exploit: Malware.Exploit.Agent.Generic

            Affected Application: VLC Player
            Protection Layer: Application Behavior Protection
            Protection Technique: Exploit payload file blocked
            File Name: C:\Users\…\AppData\Local\Temp\vlc-3.0.7.1-win64.exe

            I deleted the quarantined file.

            I subsequently downloaded a zipfile from the VLC website that passed the MD5 hash check and the entire contents passed a MBAM scan, however that was not an installer version. I am going to try a direct download from videolan.org and check virustotal and scan it.

            UPDATE: The downloaded installer file I just downloaded from videolan.org for win64 checked clean with Virustotal and also MBAM scans. Only the one downloaded via the updater was blocked.

            This is my bad as I previously always go to the site and manually download files and do checks. This time, I used softwares built-in updater and got a warning. Lesson learned.

            • This reply was modified 4 months, 1 week ago by  Bill C..
    • #1838326 Reply

      Rick Corbett
      AskWoody_MVP

      I received a very helpful email from help@mirrorservice.org in reply:

      The message says the certificate is not trusted which means the root
      certificate is missing from whatever list that VLC is using. Maybe it
      has its own internal one, or maybe it’s an OS level one, but in any case
      the root certificate for the certificate provider we use is obviously
      not there.

      I don’t think there’s a lot we can do about this. It’s a system based on
      trust, and we use a widely used provider so it should be supported
      everywhere. We also haven’t had any other reports (I think recall seeing
      it for VLC before, though) of problems. So I’m inclined to suggest this
      is VLC specific problem.

      If you’re worried just download the latest version directly and install
      it, rather than using the builtin updater.

      This got me thinking so I installed VLC 3.0.6 in a Windows 7 Home Premium VM and tried to update using its internal updater.

      The first attempt produced an error:

      vlc_update_w7vm1

      However, a second attempt was successful (and downloaded v3.0.7.1 from get.videolan.org).

      I’m inclined to think it was just an issue with my main Win 7 PC. I’m not going to do any more digging into the cause now I know I’m the only one who had an issue with the University of Kent’s mirror service. (Kudos to the support team there for the informative and speedy response to my email.)

      Hope this helps…

      Attachments:
    • #1838840 Reply

      Rick Corbett
      AskWoody_MVP

      A final post on this topic… I had another email from the University of Kent’s mirror service asking if the PC in question was up-to-date. Well, nearly so… I was aware that MS had released an update to the root certificates at the beginning of April so I had installed the security updates at the time but not updated since.

      However, a Google search for win 7 certificate store turned up a TechNet article – Trust root certificate store is not updating – about this April update failing… so it was apparently re-issued. I checked Windows Update (mine’s set to manual, not automatic) and ran in the 2 available security updates (KB4474419 and KB4503292), restarted then tried to update from VLC 3.0.7 to 3.0.7.1 using its internal updater. Success – no errors! 🙂

      2 users thanked author for this post.
    • #1838959 Reply

      PKCano
      Da Boss

      I have been updating VLC on several platforms (MacOS, Win7, Win8.1, Win10 1803, 1809, Insider) today using the “Check for updates” in the VLC menu. They are coming from videolan.org – running against Bitdefender Free, TrendMicro Premium and Malwarebytes. Have had no argument from any of them. I’m in the US.

      1 user thanked author for this post.
    • #1839825 Reply

      anonymous

      ? says:

      using VLC 2.2.2-5ubuntu0.16.04.4 weatherwax on ubuntu from universe repository. plays DVD’s and iTunes music files with no problems. any pressing need to update?

      1 user thanked author for this post.
      • #1839829 Reply

        Paul T
        AskWoody MVP

        The security issue is listed here. It’s up to you to decide if you need to update, but I would.

        cheers, Paul

        1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: VLC update issue in the UK

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel