Real Patches Critical Flaws in Player

RealNetworks on Thursday issued an advisory detailing four security flaws in its RealPlayer software and earlier versions of its Rhapsody music store. The most critical of the holes could give an attacker full control over a user's computer, the company said. Linux versions of RealPlayer are also affected.

Three of the flaws can be exploited using a malicious media file, such as RealMedia or AVI, which causes a buffer overflow in RealPlayer and the potential execution of arbitrary code. A malicious MP3 file could be used to overwrite local files or launch an ActiveX control.

The fourth vulnerability involves an attack creating a malicious Web site that could cause a local HTML file to be created and then trigger an RM file to play which would then reference this local HTML file.

RealNetworks said it has received no reports of machines compromised as a result of the vulnerabilities, but encouraged users to upgrade immediately. The company detailed versions of its software that are affected, and has provided step-by-step instructions for checking if a user is vulnerable.

The latest security problems follow a similar vulnerability exposed in March that opened the door to infected SMIL or WAV files executing arbitrary code using RealPlayer. Real also experienced the same problems in October 2004 with malicious movie files.