VLC is not without a host of it’s own buffer/heap overflows etc that allow arbitrary code execution, memory corruption and other nasties, plus it relies on a ton of third party libraries which they cannot vouch for. See here:
But, the VLC profile should allow networking for streaming. It is useful for internet radio, video, podcasts and many other things.
Schneier has outlined all the boning general Tor Browser users get e.g. FoxAcid, Quantum and so on. At this stage I have no doubt that all Tor users are automatically targeted by systems that do not require any human input.
Whonix users would be better off security-wise streaming Youtube and other media where possible via the “Media” -> “Open Network Stream” function in VLC, preferably in a separate Whonix Workstation from their other activities to get proper stream isolation.
On a side note, it’s worth reminding Whonix users that ‘free streaming’ sites are plagued with malware ads, drive-by malicious downloads and other payloads aimed at malicious behaviour. Qubes users should preferably only use those sites with disposable VMs to throw out any likely corruption after a session.
Watch sports on free livestreaming websites? Bad news: there’s a 50 per cent chance those overlay ads are malicious.
Analysis of more than 23,000 free streaming websites revealed that, perhaps unsurprisingly, the illegal streams posed a major security risk, exposing people to malware, data theft and financial scams.
Researchers from the university of KU Leuven in Belgium and Stony Brook University in the US used a semi-automated tool to identify and analyse livestreaming sites. The 23,000 sites found corresponded to 5,600 domain names, 20 per cent of which were in Alexa’s top 100,000 websites.
The semi-automated system then visited these sites 850,000 times and analysed more than one terabyte of resulting traffic. From those visits, as many as half of the adverts turned out to be malicious.
“It’s a public secret that the [free livestreaming] ecosystem is not averse to using deceptive techniques to make money from the millions of users who use their services,” said Nick Nikiforakis, assistant professor from the department of computer science at Stony Brook University.
Many overlay adverts on livestreaming sports sites have fake close buttons, or close buttons that move when a mouse is hovered over them. This deceptiveness exposes users to further risk of being exposed to malware.
“In addition to exposing numerous copyright and trademark infringements, we found that clicking on video overlay ads leads users to malware-hosting webpages in 50 per cent of the cases," said Zubair Rafique, a PhD student in computer science at KU Leuven who worked on the project.