The second flaw warning in the Month of Apple Bugs project is for a remote code execution issue affecting the cross-platform VLC media player distributed by VideoLAN. A working exploit for the vulnerability, which follows yesterday"s QuickTime security hole, has been released, alongside a warning that it targets a format string vulnerability in handling of the udp:// URL handler.
"By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution condition, under the privileges of the user running VLC," said an advisory from LMH and Kevin Finisterre, the two hackers behind the project. The flaw and exploit were successfully tested on VLC version 0.8.6 for Mac OS X. David Maynor of Errata Security has confirmed that it also affects Windows users.