RealPlayer, Helix Player vulnerable to attack

Users are being advised to upgrade to newer versions of the RealPlayer and Helix Player multimedia products because of a critical security flaw.

The flaw could allow an attacker to gain control over a user's PC using a buffer overflow vulnerability, a memory problem that can allow unauthorized code to run on a machine, according to iDefense Inc.

The vulnerability was discovered last October but publicly disclosed Tuesday on iDefense's Web site.

Affected versions of the software include the 10.5 "gold" RealPlayer and any 1.x version of Helix Player, according to the French Security Incident Response Team (FrSIRT).

FrSIRT categorized the problems as "critical," adding that a denial-of-service attack is also possible.

RealPlayer users should receive notification of a "critical update," advising them to upgrade to the beta version of a new release, version 11, said Lewis Webb, a spokesman for RealNetworks. The new version can be downloaded from the RealPlayer Web site, although the site does not mention the security problem.

Current versions of Helix Player, an open-source version of RealPlayer, are available on its developer Web site.

For a successful attack, a user would have to be tricked into downloading from a Web site a malicious SMIL (synchronized multimedia integration language) file, a format used in rendering media, iDefense said.