RealNetworks (Nasdaq: RNWK - news) has mended four serious security vulnerabilities that were found in its Real, Rhapsody and Helix media players. There have been no reports of machines compromised as a result of the vulnerabilities, RealNetworks noted, but security firms have ranked the flaws as "highly critical."
The company -- which itself ranked the flaws as "serious" -- has recommended that users immediately update RealPlayer and RealOne Player for Windows and Mac OS X systems by using the software's update function.
Linux users can download a new version of Helix Player and RealPlayer 10 for Linux and install those applications manually.
The most serious vulnerability of the set affected RealPlayer on Windows, Macintosh and Linux platforms. The flaw was in the RealText format used in Synchronized Multimedia Integration Language files.
SMIL is a scripting language -- based on the Extensible Markup Language (XML) -- that developers use to create multimedia presentations.
IDefense considered the SMIL vulnerability to be dangerous because a user's system could be compromised without much interaction.
Often, flaws that require little user effort are cause for the most concern, noted Secunia security researcher Thomas Kristensen.
"These are the type of vulnerabilities that we look at more closely, and they also tend to get higher rankings in terms of seriousness," he said. "Without user interaction needed, like someone having to download a file in order to be infected, it means attackers have greater power to get onto a system."
The other three vulnerabilities patched by RealNetworks affected only the Windows version of RealPlayer, according to the company's advisory. The flaws could allow malicious code to be inserted into MP3, AVI or RealMedia files.
One of the exploits could have let an attacker use default settings of earlier Internet Explorer browsers to create a malicious Web site and a local HTML file.
The attacker could trigger a RealMedia file to play, which would reference the file and, in turn, allow for remote code execution.