Code execution hole haunts RealPlayer, HelixPlayer

Summary:RealNetworks has issued a security fix for a gaping hole in its flagship RealPlayer software but, strangely, the company has not issued a security advisory to warn its millions of customers.

RealNetworks has issued a security fix for a gaping hole in its flagship RealPlayer software but, strangely, the company has not issued a security advisory to warn its millions of customers.

Code execution hole haunts RealPlayer, HelixPlayer

Instead, the required warning came from the researchers at iDefense Labs who found a remotely exploitable security hole affecting both RealPlayer and HelixPlayer.

The last security warning on RealNetworks' security page dates back to March 22, 2006.

From the iDefense advisory:

Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user.

The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows.

A successful exploit requires that an attacker lure a RealPlayer/HelixPlayer user to open a maliciously crafted SMIL file. This can be done by simply convincing the target to visit a malicious Web page.

iDefense said it confirmed the bug in version 10.5-GOLD of RealNetworks' RealPlayer and HelixPlayer. Older versions are assumed to be vulnerable.

The company confirmed that RealNetworks addressed this vulnerability by releasing fixed versions of their software.

RealNetworks has not provided iDefense with any links referring to updated packages or advisories. Installing the latest version from their web site will address the vulnerability.

To ensure your RealPlayer software is patched, use the Tools menu and select Check for Update.

Topics: Security

About

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content managem... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.