Real Patches Two Serious Player Flaws

RealNetworks patched two significant vulnerabilities that affect most versions of its Real Player software. One flaw, marked as a "high risk," allows a skin file to be downloaded and applied to the player without the user's permission. The file could contain data that causes a heap overflow, according to eEye Digital Security.

The other more serious flaw involves specially formatted .rm movie files. An attacker could use the file to trigger a direct stack overwrite and thus open up a backdoor to execute malicious code. "RealNetworks has received no reports of machines compromised as a result of the now-remedied vulnerabilities," the company said in an advisory, but pointed out that it "takes all security vulnerabilities very seriously." The patches are available through Real Player's built-in update mechanism.