The flaw permits what is known as a "denial-of-service" attack against specific RealServers. A denial-of-service attack is one that floods a server with a volume of bogus requests or that exploits a vulnerability so that it can't respond to legitimate demands for information.
RealNetworks learned of the vulnerability and the demonstration exploit, dubbed "realdie.exe," through the Bugtraq post yesterday and finished work on its remedy last night. Patches can be downloaded here.
"As soon as we found out about it, we deployed a tiger team to analyze it, created a fix, put it through quality assurance testing, and posted it," a RealNetworks representative said. "We had a group of developers focused on it for the day. We treat all of these things very seriously."
The denial-of-service attack and its cousin, the distributed denial-of-service attack, gained notoriety this year after attacks brought down major Web sites including Yahoo, eBay and Amazon.com.
In this case, RealNetworks customers did not suffer actual attacks, as far as the company knows. But the release of the demonstration exploit was timed to embarrass RealNetworks in retaliation for its privacy policies, according to the security firm.
USSR said it had not given RealNetworks the customary heads-up on the vulnerability "for the reason of previous reports of RealNetworks user privacy invasion."
RealNetworks called USSR's aggressive move groundless.
"We never invaded anyone's privacy, so it doesn't make a lot of sense," said the company representative. "We never kept track of what music people were listening to or kept track of individuals."
RealNetworks is urging all customers to take precautions against the exploit.
"We think everybody should download that patch," the representative said. "You always want to treat these things seriously."