RealNetworks' widely used media players RealPlayer and Helix Player are at risk from zero-day attacks, due to the publication of exploit code for a serious flaw in the software.

Helix Player is an open-source project that forms the foundation for Real's commercial RealPlayer. The flaw, a format string error, affects both players' Unix or Linux versions, and could be exploited via ".rp" and ".rt" file formats, and possibly other formats.

An attacker could exploit the bug by luring the user directly to the malicious files, or to a site in which the malicious files are embedded; they could then automatically load and execute malicious code, researchers said.

The bug was confirmed in Helix Player 1.0.5.757 (gold) and RealPlayer version 10.0.5.756 (gold), according to advisories from security firm Secunia. However, it is likely to affect any version of Helix or RealPlayer, according to researchers.

Secunia and FrSIRT, the French Security Incident Response Team, both gave the flaw highly critical ratings.

Zero-day attacks can occur between the disclosure of an exploit and the availability of a patch. Vendors try to reduce the risk of such attacks by disclosing vulnerabilities at the same time as they release patches. In this case, however, the researcher - known by the handle "c0ntex" - said he was forced to publish exploit code on the Internet despite the fact that patches haven't yet been produced.

In an advisory published on c0ntex's Open Security Group site, the researcher said he was prompted to disclose the flaw and exploit code to head off malicious users. "It seems someone is trying to pinch my research," he wrote. "As such I have been forced to release this advisory sooner than hoped."

RealNetworks, currently struggling against competition from Microsoft in the market for streaming media players, has suffered from several serious security holes in recent months. In March the company patched two RealPlayer flaws that allowed malicious code to automatically execute on Windows, Linux and Mac OS X systems. In June the company fixed four more serious flaws.