Security holes haunt RealPlayer

Real patches critical flaws in media file software

Written by Tom Sanders in California

vnunet.com, 27 Jun 2005

Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.

Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.

The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.

The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'. 

A hacker could also entice a user to play a movie by promising 'appealing' content.

The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.

A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.

The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory

A third flaw for which Real provided a fix allows criminals to create an mp3 music file that overwrites files on a user's system or execute ActiveX controls.

Microsoft's ActiveX allows applications to be downloaded and installed on a system. PCs that have XP Service Pack 2 installed get a warning before any ActiveX code is executed.

The final flaw uses the default settings in earlier version of Internet Explorer. It allows a malicious website to create a file and then trigger a RealMedia file to access that file. Real did not provide any additional information about the flaw.

Users require either a patch or need to download and install a new version of the software. Users can find out whether their software requires an update and download the fixes here

None of the reported flaws affect Real's media players for Nokia mobile phones or Palm OS handheld computers, the company said.

Tags:

Further reading

Related articles

Mozilla patches critical Thunderbird flaw

Attackers could remotely execute code on compromised systems   More...

Mega Apple patch fixes iPhone, Safari, OS X bugs

Update repairs 54 vulnerabilities   More...

Kaspersky falls through Online Scanner flaw

Security firm unaware of 'highly critical' vulnerability   More...

QuickTime flaw adds to Apple's woes

Exploit especially dangerous for Firefox users   More...

Do you agree?

Have your say on this article

Advertisement

Job of the week

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Advertisement

Watch

25 Jul 2008

7.85 MBPodcast Special: Views from the Valley More...

24 Jul 2008

3.68 MBSpammer jailed, Esquire e-cover, and network passwords More...

23 Jul 2008

2.99 MBSmall time security, official 'spying' requests and a spammer jail break More...

Listen to more

Poll

EUROPEAN E-COMMERCE

EUROPEAN E-COMMERCE

Are you happy making an online purchase from another European country?

Previous poll results

Newsletter signup

Sign up for our range of FREE newsletters:

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Spotlight

Credit card transaction

Credit card fraud rampant in the UK

Attempted frauds go unreported and ignored, analysts claim   More...

Intel

Intel rolls out new embedded line-up

System-on-a-chip offerings promise footprint and power saving   More...

Advertisement

Network cables

Tech giants collaborate on wireless HD

Another attempt at cable-free transmission in the home   More...

iPhone fever fills AT&T coffers

US provider cashes in on Apple smartphone   More...

Advertisement