The vulnerability can be exploited remotely by tricking users into opening malicious ASF files Versions 2.0.5 and earlier of the popular VLC media player software contain a critical vulnerability that can be potentially exploited by attackers to execute malicious code on computers. The vulnerability is located in the VLC component responsible for playing ASF (Advanced Streaming Format) video files, VideoLAN, the non-profit organization that develops the media player, said in a security advisory published on its website.Vulnerability research and management firm Secunia rated the flaw as highly critical and said its successful exploitation could allow the execution of arbitrary code. The flaw can be exploited by tricking a user into opening a specially crafted ASF file.VideoLAN advises users to refrain from opening files from untrusted locations and to disable the VLC browser plug-ins until the issue is patched. By default, VLC installs plug-ins for Mozilla Firefox, Internet Explorer, Google Chrome, Apple Safari, Opera and Konqueror. The plug-ins allow the playback of video files embedded into Web pages. An alternative solution is to manually delete the vulnerable libasf_plugin.dll file from the VLC installation directory, VideoLAN said. This will disable the software’s ability to play ASF videos until a patched version of the file is reinstalled during a software update.A patch will be included in VLC 2.0.6, the next version of the media player, which is only available for testing purposes at the moment. Users of Firefox, Chrome and Opera can use the ‘click-to-play’ functionality in those browsers to prevent the automated playback of plug-in-based content — a method that can block silent Web-based attacks targeting vulnerabilities in popular browser plug-ins like Java, Adobe Reader or Flash Player. Mozilla announced this week that it plans to turn on click-to-play by default for all plug-ins in future versions of Firefox, except for the latest version of the Flash Player plug-in.VLC media player is free to use and is available for Windows, Mac OS X, Linux and other UNIX-like operating systems including Solaris, FreeBSD, NetBSD, OpenBSD, as well as Android and iOS. Related content news New Trojan ZenRAT masquerades as Bitwarden password manager A report by Proofpoint identifies the new Trojan as undocumented and possessing information-stealing capabilities. By Lucian Constantin Sep 28, 2023 4 mins Cyberattacks Cyberattacks Cyberattacks news UK Cyber Security Council CEO reflects on a year of progress Professor Simon Hepburn sits down with broadcaster ITN to discuss Council’s work around cybersecurity professional standards, careers and learning, and outreach and diversity. By Michael Hill Sep 27, 2023 3 mins Government Data and Information Security Security Practices news FIDO Alliance certifies security of edge nodes, IoT devices Certification demonstrates that products are at low risk of cyberthreats and will interoperate securely. By Michael Hill Sep 27, 2023 3 mins Certifications Internet Security Security Hardware news analysis Web app, API attacks surge as cybercriminals target financial services The financial services sector has also experienced an increase in Layer 3 and Layer 4 DDoS attacks. By Michael Hill Sep 27, 2023 6 mins Financial Services Industry Cyberattacks Application Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe