Glitches found in RealOne and QuickTime

Security warnings have been released for two of the most popular digital media players - RealNetworks' RealOne player and Apple's QuickTime.

RealNetworks released an advisory warning that its flagship RealOne Player is at risk both on Windows and Mac OS X, as well as RealOne Player version 2 for Windows, RealPlayer 8 for Windows and Mac OS 9, RealOne Enterprise Desktop Manager and RealOne Enterprise Desktop.

The company warned that a maliciously corrupted Portable Network Graphicfile, viewable through a web browser, could cause 'heap corruption' and allow an attacker to execute arbitrary code on a system.

Experts are also warning of an unrelated vulnerability in Apple's QuickTime media player, where an exploitable buffer overflow could allow for the execution of arbitrary code.

Security firm iDefense released an advisory detailing how a URL containing more than 400 characters would overrun allocated space on the stack and allow arbitrary code to be slotted in.

"Any remote attacker can compromise a target system if he or she can convince a user to load a specially crafted exploit URL," the company said.

"Upon successful exploitation, arbitrary code can be executed under the privileges of the user who launched QuickTime."

QuickTime Player versions 5.x and 6.0 for Windows are vulnerable, but QuickTime for Mac OS is not. Apple has since released QuickTime 6.1, which patches the flaws on Windows.