I’ve made no secret out of the fact that I am absolutely bonkers about the VLC or Video LAN Client media player. I liked it a lot when it was in its early development phase, I liked it even more when it reached the RC (Release Candidate) milestone, and I definitely loved what I saw when the media player was launched as a final, stable product. Since then the software has been updated to version 1.0.1 (but we missed that one because we were focused on other things) and as of this week to version 1.0.2

Finding out that VLC has been updated comes as pleasant news. Finding out what the update addresses is even better. It seems that VLC version 1.0.1 and all other versions down to 0.5.0 are plagued by critical security vulnerability that if exploited could lead to arbitrary code execution.

Here is the official explanation provided by the Video LAN Project: “When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur. It would overwrite the return address and thus redirect the execution flow. If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player. Exploitation of this issue requires the user to explicitly open a specially crafted file.”

You are well advised to download and install version 1.0.2 onto your system. It is the only means of ensuring you and your system remain protected. If you do not upgrade, the only other workarounds are:

• do not open files from untrusted sources.
• do not access untrusted remote sites.
• disable the VLC browser plug-in.
• manually remove the MP4, AVI and ASF demuxer plug-ins from the VLC plug-in directory. These are: libmp4_plugin.*, libavi_plugin.*, libasf_plugin.*

If you would like to get VLC 1.0.2, you can download it straight from FindMySoft here (Windows only).
If you would like to get it straight from the official Video LAN Project webpage, just click here (all other supported operating systems).