VideoLAN is advising VLC media player users not to open files from untrusted third-parties following the discovery of a vulnerability in the ASF demuxer of VLC media player versions 2.0.5 and earlier.
According to the security advisory posted on the VideoLAN website, a buffer overflow might occur when parsing a specially crafted ASF movie, which could allow an attacker to trigger an invalid memory access & crash VLC media player.
The advisory also warns that this exploit could potentially be used by attackers to execute arbitrary code “within the content of the application,” although that scenario has not been confirmed.
VideoLAN states that this vulnerability will be patched in version 2.0.6, but it’s unclear when it will be released. The advisory hinted at a January release, but only 2.0.5 remains available to download.
In the meantime, users can protect themselves by:
- Only opening or accessing files that come from trusted sources.
- Disabling VLC browser plugins until the patch is applied.
- Manually removing the ASF demuxer (libasf_lugin.*) from the VLC plugin installation directory to prevent ASF movie playback.