Two unrelated vulnerabilities have recently shown up in the popular digital media players, RealNetworks'^® RealOne^® and Apple Computer's^® QuickTime^® and both of these could allow a hacker to install damaging software in a victim's computer.

RealNetworks^® has issued an advisory, warning that an attacker, by creating a specifically corrupted Portable Network Graphics (PNG) file, could cause "heap corruption" and this would allow the attacker to execute code on the victim's machine. The vulnerable software uses an older data-compression library within the RealPix^® component of the player, leaving the system vulnerable. The company said it has fixed the vulnerability by using an updated version of the data-compression library.

The vulnerability affected the following popular versions of RealNetworks'^® digital media players: RealOne Player^®, RealOne Player v2 for Windows^®, RealPlayer 8 for Windows^®, RealPlayer 8 for Mac OS 9^®, RealOne Player for Mac OS X^®, RealOne Enterprise Desktop Manager^® and RealOne Enterprise Desktop^®.

Until this is all sorted out with proper verification, we recommend that you uninstall the above players and use Windows Media Player^® as the alternative. In fact, we have found RealNetworks'^® digital media players invasive and over designed when compared to Windows Media Player^® and Apple's QuickTime Player^®. We therefore recommend that you permanently uninstall RealNetworks'^® digital media players from your computer and never use their products again.

It has also been reported that an exploitable buffer overflow vulnerability in Apple's QuickTime Player^® could affect computers with Microsoft's Windows^® but not those with Apple's Macintosh^® operating systems. Buffer overflows occur when an application is flooded with information and as a result cannot handle memory correctly. By causing a buffer overflow, attackers can insert their own code into the application executable file.

In this particular case, a URL containing 400 characters will overrun the allocated space on the system, allowing the attacker to assume control of the system. Thus all the attacker needs to do is to convince a web surfer to click on the specially crafted URL.

QuickTime Player versions 5.x and 6.0 for Windows^® are vulnerable and the work around is to first uninstall and then reinstall a QuickTime Player version newer than 6.0^®. You can get the latest standard version here.