Serious security hole plugged in RealPlayer

[FreewheelinFrank]

RealNetworks has patched a vulnerability in its RealPlayer and HelixPlayer software that made it possible for attackers to run arbitrary code on a victim's machine. The security hole affects applications running on Windows, Mac and Linux platforms.

The vulnerability exists within the code that handles time formats for a feature in the applications that acts as a wall clock, according to iDefense Labs, which first discovered the flaw. An attacker can exploit the vulnerability by effecting a stack-based buffer overflow that allows for the execution of malware.

The gaping hole has been plugged, but you'd never know it from browsing the RealPlayer blog or the company's security advisories. That's unfortunate. Given the severity of the vulnerability, the updates - available here for RealPlayer and here for HelixPlayer - should be installed immediately.

RealNetworks spokesman Matt Graves said the lack of disclosure is the result of the company not knowing the iDefense advisory was going to be issued on Wednesday. The company is scrambling to add an advisory to its own website. (It is unclear if a messaging system within the applications warns users of the vulnerability.)

To exploit the flaw, an attacker would first have to prompt a user to open a specially crafted SMIL file. Simply luring a RealPlayer or HelixPlayer user to a booby-trapped website is sufficient for accomplishing this. SMIL files are written in an XML markup language that uses the Synchronized Multimedia Integration Language used to code things such as for timing, layout, animations, visual transitions, and media embedding.

The vulnerability has been confirmed in version 10 and 10.5-GOLD of RealPlayer for Windows, version 10 of RealPlayer for Mac, RealPlayer Enterprise and and HelixPlayer, an open source version of RealPlayer for Linux. Earlier versions of those programs are presumed susceptible as well, according to to iDefense. ®

http://www.theregister.co.uk/2007/06/28/realplayer_security_hole_plugged/

[drhayden1]

thanks FWF-but the download link is for realplayer 11 beta-is that the one to download or is there a final version to download that isn't affected
http://realplayer.com/  The new RealPlayerBETA

[FreewheelinFrank]

The only download available is a Beta. Better a secure beta than the insecure old product, I thought. Seems to work OK.

[drhayden1]

ok thanks FWF-i uninstalled the old one first and then installed the beta 11

click to enlarge

[drhayden1]

working fine-no problems
know anything about the final release of realplayer 11

[FreewheelinFrank]

know anything about the final release of realplayer 11

Probably be announced here:

http://rws-blog.rhapsody.com/realplayer/

Seems there are some bugs with RealPlayer under Vista.

http://rws-blog.rhapsody.com/realplayer/2007/06/new-realplayer-.html

[drhayden1]

ok thanks FWF-if you hear first hand when its coming out-let me know
my helper with keeping the screen free of bugs-seems like the only thing on the computer that can be kept bug free

[Lisandro]

Shame on Real... Maybe it's time to use only JetAudio and not this kind of problematic Real player.
By the way, this company is being more and more associated to adult sites (at least on my country) a known source of malware. It's being blocked by WebShield or by K9 filter.

[DavidR]

I have to say I ditched Real some time ago, I hate the way it wants to take over your computer and the world when you install it and when you update it, well it tries again to set itself as default, etc.

I use JetAudio and the Real Alternative plug-in to view/listen to real audio/video format.

[polonus]

Hi DavidR,

For some time I now use the vlc media player, and I can say it is not bad, not bad at all.
http://www.videolan.org/vlc/

polonus

[DavidR]

Thanks, but it doesn't support real video files and reports only partial support for real audio files (what ever they mean by partial). So there wouldn't be much point switching if you had to use another player for real files.

[Sesame]

(Spotting the national flag on the profiles of FWF and DavidR), BBC prefers real video files, which I  use only for the site.  For this reason, I go for Real Alternative, too. 

I have VLC portable, which can play almost everything even on the move, though.  For machines on which I can take control enough to install, VLC is somehow unstable compared with JetAudio, IMO.