NGS Software, an application security company, found the security bugs. They released an advisory in which they note that according to Real "...there are currently around 115 million users worldwide of these products."
Interestingly, the advisory makes note of an omission that Real made in their advisory.
"In Real's own advisory they omit the fact that RealOne Enterprise Desktop is also vulnerable, but only to issues 2 & 3." it said, referring to two of the three separate vulnerabilities identified by NGS.
The vulnerabilities will only affect users who are actively using the Real Player software. In order to successfully exploit these bugs, a hacker would have to "load up" some arbitrary multimedia content with malicious code. If the targeted user were to view this multimedia content in the Real Player, the malicious code would run and give the attacker access to the victim's computer.
The vulnerabilities could potentially be used to create an Internet worm, especially if the worm used the Real Player bugs in conjunction with other techniques, such as social engineering.
Examples of social engineering in worms includes the Anna Kournikova worm, which spread by duping users into running an attachment that was assumed to be saucy photos of the tennis star, but was in fact a worm payload.
"Social engineering" techniques could be used by a worm writer to propagate a worm based on the Real Player security holes. For example it may arrive in email form, from a known email address, and promise a funny movie or film clip.
The issue is easily resolved. Real have already released a security patch that addresses all three of the vulnerabilities; users of the Real Player software should apply this patch to their systems.
Users can download the patch here or alternatively open Real Player, go to help, then to about Real Player, and select the check for updates feature.
