RealNetworks has issued four patches for security holes in its RealPlayer software, some of which could allow an attacker to run unauthorised code on your computer.
The most serious of the bugs, which affects RealPlayers on Windows, Macintosh and Linux, takes advantage of a bug in the RealText file format that is used in SMIL (Synchronized Multimedia Integration Language) files, according to Michael Sutton, director of iDefense's labs. "This is something that somebody could be vulnerable to without really taking much action. They could double click on a file, or go to a URL that somebody sent them in an mail."
Sutton has not yet seen anyone publicly release software that could take advantage of any of the four bugs, but researchers at iDefense labs have privately developed code that exploits the vulnerability.
The other RealPlayer flaws could be triggered by malicious code inserted into MP3, AVI or RM (real media) files, and affect only the Windows version of RealPlayer, according to an advisory issued by RealNetworks.
Version 3 of the Rhapsody player for RealNetworks's online music service is also affected by one of the vulnerabilities.