RealPlayer haunted by 'critical' security holes

RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.

If you still have the RealPlayer software on your machine, now might be a good time to uninstall it.   If you really need to keep it (why?), it's definitely time to apply the latest update to avoid malicious hacker attacks.

RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.

Some raw details:

  • CVE-2010-2996: RealPlayer malformed IVR pointer index code execution vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
  • CVE-2010-3002: RealPlayerActiveX unauthorized file access vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
  • CVE-2010-0116: RealPlayer QCP files parsing integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-0117: RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-0120: RealPlayer QCP parsing heap-based buffer overflow vulnerability.
  • Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-3001: RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
  • Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-3000: RealPlayer FLV parsing multiple integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.

Details on affected RealPlayer versions are available in this RealNetworks advisory.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All