The vulnerabilities affect RealPlayer on all versions of Windows, according to two short advisories that eEye Digital Security published on Thursday. To exploit the flaws, an attacker would craft a special media file and host it on a Web site or trick a user into opening it, Steve Manzuik, security product manager at eEye, said on Friday.
"I don't think there is an immediate risk to users. We have no evidence of others knowing or exploiting the flaw," Manzuik said.
Researchers at eEye told RealNetworks about one of the flaws on November 16 and reported the second on November 30, according to the advisories. eEye regards a patch as "overdue" 60 days after it has reported a vulnerability, so RealNetworks has some time to come up with a fix for the bugs.
Word of the latest flaws in RealPlayer comes just weeks after the SANS Institute, a nonprofit research group, warned that cybercriminals are shifting their attacks from operating systems such as Windows to media players and other applications. Earlier this year, researchers at Internet Security Systems warned that antivirus scanners are a target for hackers.
eEye said it has also found flaws in iTunes and QuickTime, two media player applications from Apple Computer. Those flaws were reported to Apple on November 17.
Representatives for RealNetworks could not immediately be reached for comment.
