The problem has to do with the way the player handles unusually long Web addresses. In current versions of the player, an address of more than 299 characters will crash the application.
Web addresses with 300 characters may not seem like the most likely pitfall on the Web. But in a "buffer overflow" exploit, said to be the world's most common software glitch, the extra-long address is a springboard for potential attacks on a victim's computer.
In a buffer overflow, the attacker floods a field, typically an address bar, with more characters than will fit. The excess characters in some cases can be run as "executable" code, giving the attacker control of the computer without the constraints of security measures.
RealNetworks said it is testing a patch for the bug. The company denied, however, that the bug poses more than a nuisance to users.
"It's a bug, and we do not believe it's a security risk at all," said Steve Banfield, general manager of the RealPlayer group at RealNetworks. "If it is, it has never been exploited to our knowledge."
The person who discovered the bug acknowledged that he had not produced a demonstration of an exploit. But he said the behavior of the bug made it appear likely that it would present a security hazard.
"The scary thing is that by looking at the dump output when you crash, it looks like it would be able to execute arbitrary code," said Adam Muntner, the security enthusiast who posted news of the bug to the Bugtraq security mailing list. "It should be trivial to do that."
RealNetworks said the parameters of the software hole made a security attack an unlikely scenario.
"Based on our analysis, it would be almost impossible for someone to do that," Banfield said. "You can't guarantee where you're going at that point (after the application crashes from the overflow). Even if you could, it's a tiny overflow area--only a couple hundred bytes."
RealNetworks will post either a patch or an updated version of the player to its Web site tomorrow.