VideoLAN warned users of the v2.0.5 and earlier versions of the VLC media player that the software contain a critical vulnerability that can be potentially exploited by attackers to execute malicious code on computers.
According to the non-profit organization that develops the popular media player, the vulnerability is located in the VLC component responsible for playing ASF (Advanced Streaming Format) video files. "When parsing a specially crafted ASF movie, a buffer overflow might occur," VideoLAN wrote in a security advisor.
If successful, a malicious third party could trigger an invalid memory access, leading to a crash of VLC media player's process. In some cases attackers might exploit this issue to execute arbitrary code within the context of the application, although that has not been confirmed yet.
The issue is addressed in VLC media player 2.0.x source code repository by replacing a macro with a static inline and improved bounds checking, VideoLAN said. This patch is included in VLC's future 2.0.6 release, the next version of the media player, which is only available for testing purposes at the moment.
An alternative solution is to manually delete the vulnerable libasf_plugin.dll file from the VLC installation directory, VideoLAN said. This will disable the software's ability to play ASF videos.