RealNetworks Inc. recommends users of RealPlayer and RealOne Player install updated versions it has issued to close a security hole attackers could use to launch malicious code.
The Seattle-based company said in an advisory it "has addressed a recently discovered security vulnerability that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine." RealNetworks said it has received no reports of machines being compromised because of the vulnerability.
RealOne and RealPlayer are the most widely used products for Internet media delivery, with more than 200 million users worldwide.
The advisory said the specific problem could allow an attacker "to fashion a malicious skin file to cause a buffer overflow, which could have allowed an attacker to execute arbitrary code on a customer's machine. The buffer overrun was designed to occur in a third-party compression library, dunzip32.dll."
It added, "Skin files from RealNetworks' site are carefully examined before posting for viruses and exploits. To ensure that your player is protected, we recommend installing the available updates."
Danish security firm Secunia called the vulnerability "highly critical" in its advisory and credited Aliso Viejo, Calif-based security firm eEye Digital Security with reporting the vulnerability.
The vulnerability affects:
- RealPlayer 10.5 (prior to build 188.8.131.526)
- RealPlayer 10
- RealOne Player v2
- RealOne Player v1