A serious flaw in the RealPlayer media player from RealNetworks could allow an attacker to take control of a victim PC if you open a poisoned movie file, or even just preview it in Windows Explorer, according to a new notice from Fortinet.
The hole in RealPlayer 11 involves the way the program processes Internet Video Recording, or IVR, files. And according to the notice, you wouldn’t have to actually open a downloaded, malicious movie to get hit: “A successful attack could take place by merely previewing the IVR file through Windows Explorer.”
No word on real-world attacks, thankfully, but there’s also no mention of an available patch from RealNetworks. So you can either be extra careful with movie file downloads or uninstall RealPlayer until there’s a fix. I’ll update this post if I hear back from RealNetworks about any available patch or workaround.
Also, if you use Firefox, be sure you’ve picked up the 3.0.6 update released earlier this week. Along with stability fixes, the update closes six security holes, one of which could allow an attacker to remotely install malicious software. Click Help | Check for Updates to make sure you’ve got the fix.