Critical flaw hits latest VLC media player software
Vulnerability can be exploited remotely by tricking users into opening malicious ASF files
IDG News Service - Versions 2.0.5 and earlier of the popular VLC media player software contain a critical vulnerability that can be potentially exploited by attackers to execute malicious code on computers.
The vulnerability is located in the VLC component responsible for playing ASF (Advanced Streaming Format) video files, VideoLAN, the non-profit organization that develops the media player, said in a security advisory published on its website.
Vulnerability research and management firm Secunia rated the flaw as highly critical and said its successful exploitation could allow the execution of arbitrary code. The flaw can be exploited by tricking a user into opening a specially crafted ASF file.
VideoLAN advises users to refrain from opening files from untrusted locations and to disable the VLC browser plug-ins until the issue is patched. By default, VLC installs plug-ins for Mozilla Firefox, Internet Explorer, Google Chrome, Apple Safari, Opera and Konqueror. The plug-ins allow the playback of video files embedded into Web pages.
An alternative solution is to manually delete the vulnerable libasf_plugin.dll file from the VLC installation directory, VideoLAN said. This will disable the software's ability to play ASF videos until a patched version of the file is reinstalled during a software update.
A patch will be included in VLC 2.0.6, the next version of the media player, which is only available for testing purposes at the moment.
Users of Firefox, Chrome and Opera can use the 'click-to-play' functionality in those browsers to prevent the automated playback of plug-in-based content -- a method that can block silent Web-based attacks targeting vulnerabilities in popular browser plug-ins like Java, Adobe Reader or Flash Player. Mozilla announced this week that it plans to turn on click-to-play by default for all plug-ins in future versions of Firefox, except for the latest version of the Flash Player plug-in.
VLC media player is free to use and is available for Windows, Mac OS X, Linux and other UNIX-like operating systems including Solaris, FreeBSD, NetBSD, OpenBSD, as well as Android and iOS.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!