Versions 2.0.5 and earlier of the popular VLC media player software contain a critical vulnerability that can be potentially exploited by attackers to execute malicious code on computers.
The vulnerability is located in the VLC component responsible for playing ASF (Advanced Streaming Format) video files, VideoLAN, the non-profit organization that develops the media player, said in a security advisory published on its website.
[ The Web browser is your portal to the world -- and the gateway for security threats. InfoWorld's expert contributors show you how to secure your Web browsers. Download the free PDF today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]
Vulnerability research and management firm Secunia rated the flaw as highly critical and said its successful exploitation could allow the execution of arbitrary code. The flaw can be exploited by tricking a user into opening a specially crafted ASF file.
VideoLAN advises users to refrain from opening files from untrusted locations and to disable the VLC browser plug-ins until the issue is patched. By default, VLC installs plug-ins for Mozilla Firefox, Internet Explorer, Google Chrome, Apple Safari, Opera and Konqueror. The plug-ins allow the playback of video files embedded into Web pages.
An alternative solution is to manually delete the vulnerable libasf_plugin.dll file from the VLC installation directory, VideoLAN said. This will disable the software's ability to play ASF videos until a patched version of the file is reinstalled during a software update.
A patch will be included in VLC 2.0.6, the next version of the media player, which is only available for testing purposes at the moment.
Users of Firefox, Chrome and Opera can use the 'click-to-play' functionality in those browsers to prevent the automated playback of plug-in-based content -- a method that can block silent Web-based attacks targeting vulnerabilities in popular browser plug-ins like Java, Adobe Reader or Flash Player. Mozilla announced this week that it plans to turn on click-to-play by default for all plug-ins in future versions of Firefox, except for the latest version of the Flash Player plug-in.
VLC media player is free to use and is available for Windows, Mac OS X, Linux and other UNIX-like operating systems including Solaris, FreeBSD, NetBSD, OpenBSD, as well as Android and iOS.