A digital security firm has found security flaws affecting several RealNetworks media players, flaws that could be exploited by way of malicious Web pages or RealMedia files from local drives to take over a user’s computer remotely or delete files, Real said this week.
The company said there are no known attacks using these flaws just yet, and they’ve issued patches for the affected applications, while Secunia, a Danish security firm, has given the bugs a rating of “high critical.”
The makers of the popular computer media players said September 30 that researchers turned up “a myriad of serious security flaws” in theirs and other client software over the past few weeks, with the bugs difficult to patch because of how many desktops use them. Similar vulnerabilities are said to have been found in Winamp, another popular media player, as well as file compressor WinZip and Apple’s iChat message program, according to EEye Digital Security.
The most serious of the Real bugs is said to involve “malformed calls” exploitable by way of a player embedded in a malicious Web page to execute what Eeye called arbitraty code, affecting RealPlayer 10, 10.5, and RealOne versions 1 and 2 on Windows. Another allows malicious code execution by way of local Real Media files, which Real said affects several RealPlayer and RealOne versions on Windows and Macintosh OS X as well as some Linux configurations.
The third bug lets the operator of malicious Web page and media file alike delete files on a user computer as long as the attacker knows just where the files are. This one affects the same applications as the malformed-calls bug, Real said.
This news comes in the immediate wake of the so-called JpegOfDeath bug that exploits a flaw in how Windows software decodes .jpg images. Microsoft has issued a patch to close the flaw – which allows malware to operate through the coding by which Microsoft applications and the Internet Explorer browser translate and present .jpeg image files, when a user actually opens an infected .jpeg image – but some analysts think the bug will end up spurring more users to seek and use alternative Web browsers.
