14 DAY TRIAL // VLC Media Player is one of the most popular multiple players on the internet with more than 3,388,721 downloads (and counting) as the official website says. The application was designed for playing multiple audio and video formats such as MPEG-1, MPEG-2, MPEG-4, DivX, mp3, ogg, DVDs, VCDs, and several streaming extensions. VLC was developed for multiple platforms including Windows, Mac and a lot of Linux distributions and can be also used as a server to broadcast audio or video content.
Even if the program is so popular, this doesn't mean that it is one of the well-developed software solutions on the market, being affected by a highly critical vulnerability as security company Secunia says. "Kevin Finisterre and LMH have reported a vulnerability in VLC media player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a format string error when handling "udp://" URIs and can be exploited via a specially crafted web site or an M3U file with a specially crafted udp:// URI containing format string specifiers as the file name," the firm added.
It seems like the affected version of the VLC Media Player is 08.6 for both Windows and Mac and a successful exploitation of the flaw can allow an attacker to execute malicious commands on the vulnerable computer.
"Requires a working Perl interpreter. The exploit(s) provided will create a M3U file, which can be locally opened or served remotely via web server. The exploit source code includes notes and other comments about the different options available. Both x86 and PowerPC versions are provided," it is mentioned in the original advisory.
The company didn't release an official update or a patch to fix the vulnerability, so it seems like the only solution to avoid the danger is to refuse to open untrusted M3U files or to visit malicious webpages.