Security researchers have warned of two RealPlayer flaws they say could allow malicious code to automatically execute on Windows, Linux and Mac OS X systems. RealNetworks has issued patches for the affected software.
The bugs, found in the way RealPlayer handles WAV and SMIL (Synchronized Multimedia Integration Language) files, can be exploited by embedding specially-crafted files in a Web site, according to iDefense, which first notified RealNetworks of the SMIL problem in January. An attack could be carried out by convincing a user to open a malicious SMIL file, or by causing the file to automatically load in RealPlayer from a Web page.
"In default installations of RealPlayer under Windows, Internet Explorer will not prompt the user for an action when encountering a .smil file," iDefense said in its advisory. "It will open it without delay, thus allowing a more effective method of exploitation." The WAV vulnerability was discovered by NGS Software.
Both bugs are caused by boundary errors, researchers said. RealNetworks said it isn't aware of any compromises as a result of the vulnerabilities.
RealPlayer's architecture makes a workaround effectively impossible, according to iDefense. Even if users disassociate SMIL files from the player, an attacker could launch the file with RealPlayer using other methods, such as one of RealPlayer's many ActiveX controls. "Any effective workaround would prevent RealPlayer from functioning," iDefense said.
On Windows, the bug affects RealPlayer 10.5 (126.96.36.1996 and below), RealPlayer 10, RealOne Player V2, RealOne Player V1, RealPlayer 8 and RealPlayer Enterprise. The Mac's RealPlayer 10 (10.0.0.325 and below) and RealOne Player and Linux's RealPlayer 10 and Helix Player are affected.
Updates can be found on RealNetworks' website.
RealNetworks is struggling to compete with the Windows Media Player bundled with Microsoft Windows, a situation that earned Microsoft a record anti-trust fine from the European Commission last year. However, the player is still one of the most widely used desktop applications.