Critical RealPlayer Flaws Found

RealNetworks has issued patches to four vulnerabilities in its RealPlayer media software, some of which could allow an attacker to run unauthorized code on the user's computer.

The most serious of the bugs, which affects RealPlayers on the Windows, Macintosh, and Linux operating systems, takes advantage of a bug in the RealText file format that is used in SMIL (Synchronized Multimedia Integration Language) files, according to Michael Sutton, director of IDefense's labs.

"This is something that somebody could be vulnerable to without really taking much action. They could double click on a file, or go to a URL that somebody sent them in an e-mail," he says.

No Exploits--Yet

Sutton has not yet seen anyone publicly release software that could take advantage of any of the four bugs, but researchers at IDefense labs in Reston, Virginia, have privately developed code that exploits the RealText vulnerability.

The other RealPlayer flaws could be triggered by malicious code inserted into MP3, AVI (audio video interleaved), or RM (real media) files, and affect only the Windows version of RealPlayer, according to an advisory issued by RealNetworks.

Version 3 of the Rhapsody player for RealNetworks's online music service is also affected by one of the vulnerabilities, RealNetworks says.

More information on the vulnerabilities can be found online.