Remote exploitation of a heap-based buffer overflow in
RealNetwork Inc's RealPlayer could allow the execution of
arbitrary code in the context of the currently logged in
user.
In order to exploit this vulnerability, an attacker would
need to entice a user to follow a link to a malicious server.
Once the user visits a website under the control of an
attacker, it is possible in a default install of RealPlayer
to force a web-browser to use RealPlayer to connect to an
arbitrary server, even when it is not the default application
for handling those types, by the use of embedded object tags
in a webpage. This may allow automated exploitation when the
page is viewed.