Two of the three most popular media players on the market have highly critical bugs that could allow remote system control by a hacker.
Both Apple Computer's QuickTime and RealNetworks' RealPlayer have patched serious security holes this week, RealNetworks addressing a vulnerability in the way its players handle skin files and Apple fixing a bug its player.
The two applications, along with Microsoft's Windows Media Player, account for the vast majority of the media player market. Both players could allow attackers to run malicious code on a corporate desktop by luring a user to a specially crafted website, researchers said. The bugs only affect Windows.
Apple released an update for QuickTime versions 6.5.2 and earlier, fixing an integer overflow which the company said could be exploited via an HTML web page.
UK-based Next Generation Security Software (NGSS), which discovered the flaw, said it would withhold the specifics of the bug for three months, giving time for users to apply the patch. The bug affects Windows XP, 2000, ME and 98.
Apple has also fixed an older QuickTime flaw that could allow an attacker to embed malicious code in a bitmap image. The new fix extends the patch to more system configurations. A third patch fixes a less serious security bug in Apple Remote Desktop.
Meanwhile, NGSS' John Heasman and eEye Digital Security's Yuji Ukai both claimed to have discovered a flaw in Windows versions of RealPlayer that allows the execution of malicious code during the decompression of skin files.
The bug, patched by RealNetworks, is a buffer overflow in a third-party library called dunzip32.dll, used by RealPlayer to decompress the skin file.
An attacker could cause the player to automatically download and install a skin file (with the .rjs extension) via a web browser without the user's permission, then use the dunzip32.dll bug to run malicious code on the desktop, eEye said in an advisory.
The bug affects Windows versions of RealPlayer 10.5 (220.127.116.113 and earlier), RealPlayer 10 and RealOne Player versions 1 and 2.
Matthew Broersma writes for Techworld.com