RealNetworks Inc. recommends users download updates it released to patch multiple security holes in RealOne Player, RealPlayer and Helix Player. An attacker could use the vulnerabilities to launch malicious code and delete files.
"RealNetworks Inc. has recently been made aware of security vulnerabilities that could potentially allow an attacker to run arbitrary or malicious code on a user's machine," the company said in its advisory. "While we have not received reports of anyone actually being attacked with this exploit, all security vulnerabilities are taken very seriously by RealNetworks Inc. Real has found and fixed the problem."
Copenhagen, Denmark-based security firm Secunia called the vulnerabilities "highly critical" in its advisory and described them as:
- An unspecified error when running local .rm files that could be exploited to execute arbitrary code. This has been reported in RealPlayer 8, 10, 10.5 Beta and 10.5 on Enterprise and Windows; RealOne Player versions 1 and 2 on Windows; Mac RealPlayer 10 Beta and Mac RealOne Player; and Linux RealPlayer 10 and Helix Player on Linux.
- A problem with malformed calls that can be exploited to execute arbitrary code by embedding the player on a malicious Web site and making specially crafted calls. This has been reported in RealPlayer 10, 10.5 Beta; 10.5 and RealOne Player versions 1 and 2 on Windows.
- An unspecified error that allows malicious Web sites and media files to delete arbitrary local files. This has been reported in RealPlayer 10, 10.5 Beta; 10.5 and RealOne Player versions 1and 2 on Windows.