Three security holes found in the popular RealOne media player has put millions of users at the mercy of attackers, Seattle-based RealNetworks warned Tuesday.

The company confirmed the bugs in its flagship digital media software, which is used by approximately 115 million users, could let an attacker execute arbitrary code on vulnerable systems and urged that patches be installed.

The RealOne Player, RealOne V2 Player and the earlier RealPlayer are affected, said NGSSoftware, which reported the flaws to RealNetworks.


The first buffer overrun flaw was found in a smil file where there is a large number of characters in metadata of that file. This causes the player to crash when trying to play that smil file. "The bug was fixed by fixing the player status code to handle the cases where there are large number of characters in metadata of a smil file," RealNetworks said.

The company, which competes directly with Microsoft's Windows Media Player for command of the digital media delivery market, said it had not received reports of anyone actually being attacked with the exploit.

The second security vulnerability is a problem with large file names whether on local/rtsp or http url. RealNetworks said the player would crash if a user right clicks in 'Now Playing' and selects edit clip info or right click in "Now Playing" and selects copy to my Library.

The third and most serious of the three is described as a parsing error in the player code associated with loading sources within RealFlash presentations. This could theoretically be used by hackers to adversely affect users, the company warned.

NGSSoftware said hackers could exploit the hole by sending a link to a file or Web page with malicious code. When the file is processed through RealPlayer, it could either crash the multimedia software or allow access to a victim's machine.