RealNetworks patched its Real Player yet again on Thursday to fix multiple critical flaws in the popular media software.
According to eEye Digital Security, which uncovered the bugs and reported them to RealNetworks, two separate vulnerabilities affect multiple versions of RealPlayer for Windows, Mac OS X, and Linux. Both were classified as a "High" threat by eEye, a ranking that means attackers could use the flaws to remotely execute code on compromised computers.
One of the vulnerabilities could allow an attacker to execute malicious code by delivering a specially-crafted Real Media file in, for instance, an e-mail. The other involves RealPlayer skin files, which transform the look of the RealPlayer program. By building a malicious skin, then enticing the victim to a Web site hosting such a skin, the attacker could grab control of the machine without any other user interaction.
The second vulnerability only affects systems running the Windows version of RealPlayer.
RealNetworks has posted patches for both bugs on its Web site. The affected versions include RealPlayer 10.5, 10, and 8 (Windows), RealPlayer 10 (Mac), RealPlayer 10 (Linux), RealOne Player 1 and 2 (Windows), RealPlayer Enterprise (Windows), and Helix Player (Linux).
RealNetworks said in its advisory that it's not received any reports of actual attacks using these vulnerabilities, but urged users to immediately patch their players.
RealNetwork's software was patched against another vulnerability as recently as October.