VLC Player 2.0.5 and earlier versions are affected with a critical vulnerability, to address this Videolan is likely to release 2.0.6 version any time soon. If you’re using VLC media Player 2.0.5 and earlier versions you’re advised not to open files from untrusted sources as these versions are affected with vulnerability that has been rated as critical.
According to Security advisory released by VideoLan on their site while processing malicious ASF file a buffer overflow could occur, when that happens “a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player’s process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application but this information is not confirmed.”
Exploitation happens only if user opens that specially created ASF file which unlikely to happen from users hard drive, but this can be possible in browsers on web with the VLC browser plugin where a malicious website can able to auto play the ASF file.
VLC has included the patch for this vulnerability in VLC 2.0.6 which is currently under testing and available as nightly builds for Windows and Linux platform, you can expect release of VLC player 2.0.6 at any time soon.
Videolan is currently suggesting users to follow the workarounds mentioned below
To avoid this until VLC 2.0.6 releases
1. Users should not open files from untrusted sources or they shouldn’t access remote sites.
2. Disable VLC Plugin in browser
You can do that in Firefox by Tools>Add-ons> select plugins and click disable button under “VLC web plugin”, similarly disable VLC plugin for Chrome and Opera browsers separately by visiting about:plugins page.
#II. or user can remove ASF demuxer from VLC plugin installed directory which prevents the playback of ASF movies.
for this navigate to “C:\Program Files\VideoLAN\VLC\plugins” find and delete “libasf_plugin.dll”.
Please share this article