'Highly critical' flaw in RealPlayer, RealOne

An attacker could use a buffer overflow vulnerability in RealPlayer and RealOne Player to launch malicious code, but a fix is available.

RealNetworks Inc. recommends users of RealPlayer and RealOne Player install updated versions it has issued to close a security hole attackers could use to launch malicious code.

The Seattle-based company said in an advisory it "has addressed a recently discovered security vulnerability that offered the potential for an attacker to run arbitrary or malicious code on a customer's machine." RealNetworks said it has received no reports of machines being compromised because of the vulnerability.

RealOne and RealPlayer are the most widely used products for Internet media delivery, with more than 200 million users worldwide.

The advisory said the specific problem could allow an attacker "to fashion a malicious skin file to cause a buffer overflow, which could have allowed an attacker to execute arbitrary code on a customer's machine. The buffer overrun was designed to occur in a third-party compression library, dunzip32.dll."

It added, "Skin files from RealNetworks' site are carefully examined before posting for viruses and exploits. To ensure that your player is protected, we recommend installing the available updates."

Danish security firm Secunia called the vulnerability "highly critical" in its advisory and credited Aliso Viejo, Calif-based security firm eEye Digital Security with reporting the vulnerability.

The vulnerability affects:

  • RealPlayer 10.5 (prior to build 6.0.12.1056)
  • RealPlayer 10
  • RealOne Player v2
  • RealOne Player v1

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close