I heard about this earlier today and I meant to post about it but I forgot. I was reminded again on Slashdot. You can read the NGSSoftware advisory here.
By crafting malformed .RP, .RT, .RAM, .RPM & .SMIL files it is possible to cause heap and stack based overruns in RealPlayer / RealOne Player. By forcing a browser to a website containing such a file, code could be exectued on the target machine running in the context of the logged on user, alternatively the end user would be required to open the attachment (except in the case of the .RPM file)
If you run Real player, be sure to update your installation. Real has posted updates here