Exploit code created for hole in RealPlayer

Elazar Broad, who isolated a heap overflow flaw in an ActiveX control running on RealPlayer, also has created an exploit, he said. Vulnerability tracking firm Secunia rates the bug -- which was announced on Monday -- as “highly critical,” according to an advisory.

Broad has not publicly released the exploit code, instead choosing to give Real Networks, which provides the RealPlayer, time to deliver a patch, he said.

“This bug can potentially be exploited to execute arbitrary [code] in the context of the user running the vulnerable application, in this case, through Internet Explorer,” Broad said.

Ryan Luckin, a Real Networks spokesman, said on Tuesday that the company is “actively looking into this and will provide more information as it becomes available.”

Over time, hackers have shifted their focus to finding holes in popular client-side software, said Eric Schultze, chief technology officer of Shavlik Technologies, a patch management firm.