Critical bugs in RealNetworks' RealPlayer could let hackers hijack Windows, Mac, and Linux systems, security firms warned Tuesday.

Several editions of RealNetworks' popular media player are at risk from a pair of vulnerabilities, said Danish security firm Secunia, that could allow attackers to compromise machines with specially-crafted .wav and/or .smil, a file type that supports multimedia streaming protocols.

iDefense, a Reston, Va.-based security intelligence firm, discovered the .smil vulnerability, and posted its own warning, along with demonstration code for an exploit that would cause a buffer overflow on the target machine. According to iDefense's researchers, an attacker could e-mail a corrupt .smil file to a user, or place one on a Web site, then entice people to that URL.

"In default installations of RealPlayer under Windows, Internet Explorer will not prompt the user for an action when encountering a .smil file," said iDefense's alert. "It will open it without delay, thus allowing a more effective method of exploitation."

For its part, RealNetworks confirmed that multiple versions of RealPlayer, RealOne, and Helix are at risk, and must either be discarded for later editions or patched.

Unlike most vulnerabilities, these aren't limited to Windows, but also affect versions of the media player that run under the Linux or Mac OSes.

Among the affected editions are RealPlayer 8, 10, and 10.5 for Windows; RealPlayer 10 and RealOne Player for the Mac; and RealPlayer 10 for Linux. RealPlayer Enterprise 1.1, 1.2, 1.5, 1.6, and 1.7 are also at risk, said RealNetworks.

Patches for RealPlayer Enterprise can be downloaded from here, while instructions for the other editions are posted elsewhere on the RealNetworks Web site.

This isn't the first time that RealPlayer has had to be patched. Last year, just before the release of RealPlayer 10, the Seattle-based developer posted fixes for a flaw that could allow a remote attack.