RealNetworks has patched two highly critical holes in its media player. The bugs could allow an attacker to run malicious code by directing users to a specially-crafted Web page, via an email message for example, according to security experts.

RealOne Player, RealOne Player v2, RealPlayer 10, RealPlayer 8 and RealPlayer Enterprise are all affected. The company has released updates fixing the problem for all except RealPlayer 8; the patches are available by using the software's built-in updating mechanism, as described in Real's advisory. RealPlayer 8 users are recommended to upgrade to RealPlayer 10.

"While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks," the company said in a statement.

The first bug, discovered by eEye Digital Security's Karl Lynn, involves a file called embd3260.dll. A problem with the way the file generates error messages means that an attacker could use a malformed movie file embedded in a Web page to execute malicious code on a user's PC. "A heap block is allocated to contain the error message, but because of a flaw in how the buffer size is calculated, an overflow will always happen," eEye said in its advisory.

The second, related problem is in RealPlayer's handling of URLs, allowing a user's PC to be compromised by Web addresses containing large numbers of period characters (not Mr Darcy, but "."). "One method of exploiting this vulnerability is to place a .RAM file containing a maliciously constructed URL on a Web server and send an email to the target with a link containing the file," said iDefense in its advisory. IDefense's Greg MacManus is credited with discovering this flaw.

The most likely way for attackers to exploit these flaws would be through spam messages containing links to the malformed files, researchers said. "User awareness is the best defence against this class of attack," said iDefense. "Users should be aware of the existence of such attacks and proceed with caution when following links from suspicious and/or unsolicited e-mail."

Both flaws were reported to RealNetworks about a month ago, with disclosure timed to coincide with the release of patches. Secunia, which maintains a unified database of software flaws, has also released an advisory on the issues.

A similar set of flaws in RealPlayer came to light in February.