Real Networks has issued fixes for four serious security vulnerabilities in its in its RealPlayer media software. Two of the security holes involve overwriting operating system files to take congtrol of PCs by simply playing a media file.
The most severe of the vulnerabilities appears to be a a flaw in RealText that is part of the RealMedia file format. The hole allows hackers to take over a system, security experts from iDefense warned in a security advisory. The attack method can be used to exploit RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.
iDefense said it knows of no software that has been released that could take advantage of any of the four bugs.
Another vulnerability, which affects most RealPlayer software for Windows as well as Rhapsody, uses the Audio Video Interleaved (.avi), Real media and/or MP3 movie file format to overwrite a compromised PCis heap memory, which in turn allows hackers to take control of a system. The "high" level hack reportedly can be triggered by a Web page containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy firm.
Users must download either a patch or new versions of software, that can be found on Realis support page.