The developers of the VLC video player warned of a bug in the latest 2.0.5 version of the application, which could suffer an exploit that could lead to an attacker executing arbitrary code.
The issue is a problem in the ASF demuxer (libasf_plugin.*), which can fall prey to a buffer overflow with a specially crafted ASF movie. The developers said users would have to open that specially crafted file to be vulnerable and advise users to not open files from untrusted third parties or untrusted sites.
Another workaround is to delete the demuxer plugin – found in \VLC\plugins\demux\libasf_plugin.dll on Windows – to disable the vulnerable function.
There is a patch that replaces the vulnerable macro with static inline code and better bounds checking, and officials worked it into the forthcoming version 2.0.6 release of VLC.
Already patched versions of VLC for Windows and Mac OS X are available from the VLC nightlies site, but may have other bugs as they are ongoing development versions.