Critical RealPlayer Flaw Flagged

Researchers at eEye Digital security flag another code execution hole in the widely deployed media player.

Researchers at eEye Digital Security have flagged another critical vulnerability in RealPlayer, the digital media software released by RealNetworks Inc.

The Aliso Viejo, Calif.-based eEye said in a brief advisory that the flaw can be exploited by remote malicious hackers to execute arbitrary code in the context of the logged-in user.

The bug carries a "high risk" rating because it potentially puts millions of Windows users at risk of computer takeover attacks.

The flaw was reported to RealNetworks in November. A patch is not yet available.

This is the second RealPlayer vulnerability reported by eEye. On Nov. 16, the company also discovered and reported a high-severity flaw to Seattle-based RealNetworks, but that bug also remains unpatched.

Both issues require an attacker to trick a RealPlayer user into launching a maliciously rigged media file.

/zimages/4/28571.gifClick here to read more about unpatched bugs in iTunes and QuickTime.

The latest media player flaw discoveries follow a warning from SANS ISC (Internet Storm Center) that malicious hackers have shifted attack techniques to focus on desktop applications instead of holes in operating systems.

In a recent interview, eEye Security Product Manager Steve Manzuik said it was surprising—and disappointing—that users tend to ignore serious bugs in desktop applications like digital media players. "Media player flaws always fly under the radar, but thats where the malicious hackers are looking for vulnerabilities. A lot of users can be tricked into opening files. These are very serious flaws," he said.

The company has also identified unpatched code execution holes in iTunes and QuickTime, two widely deployed Apple Computer Inc. digital media applications. As per policy, Apple does not comment on potential security vulnerabilities in its products until a fix is available.

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.