Lights, camera...virus! RealPlayer vulnerable to fake movies

A software slip-up in RealNetworks' music player means that Windows, Mac and Linux computers could be compromised by a fake movie file, a security company said on Friday.

The problem means that fake movie files could be created that, when played by vulnerable Real software, would run a program instead. The flaw appears in RealPlayer 10 for Windows and Mac OS X, the RealOne Player for Windows and Mac OS X and the Real Helix Player for Linux.

"Anyone who has RealPlayer is affected, and there are many people with RealPlayer," said Marc Maiffret, chief hacking officer at software security company eEye Digital Security, the company that discovered the security issue.

RealNetworks could not immediately be reached for comment.

The flaw occurs in a component of Real's software that handles Real movie files with the .rm extension, according to eEye's advisory.

Similar to the recent flaw in Windows applications that handle the JPEG image format, this vulnerability affects a widespread piece of software and could be used to create a virus.

"It's similar to the JPEG flaw in the sense that just by viewing the file, or having the file 'force viewed' through a Web browser, your system can be compromised," Maiffret said. "I think both this JPEG vulnerability and the RealPlayer vulnerability are good examples of a type of threat that is becoming more prevalent: client-side vulnerabilities."

Rather than finding a security hole in the operating system and gaining direct access to a computer, attackers are now increasingly looking at exploiting widely used applications.

"Most security software...is not able to defend itself well against these client-based vulnerabilities, leaving companies with few alternatives other than patching," Maiffret said.

RealNetworks has issued patches for the flaw.