s18000rpm
ಠ_ಠ
The second flaw warning in the Month of Apple Bugs project is for a remote code execution issue affecting the cross-platform VLC media player distributed by VideoLAN. A working exploit for the vulnerability, which follows yesterday's QuickTime security hole, has been released, alongside a warning that it targets a format string vulnerability in handling of the udp:// URL handler.
"By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC," said an advisory from LMH and Kevin Finisterre, the two hackers behind the project. The flaw and exploit were successfully tested on VLC version 0.8.6 for Mac OS X. David Maynor of Errata Security has confirmed that it also affects Windows users.
Since the issue is previously undocumented and unpatched, the only potential workaround would be to disable the udp:// URL handler or uninstall the VLC media player.
Or, as the hackers taunt, "Simply live with the feeling of being a potential target for pwnage."
Source: eWeek