Code execution hole haunts RealPlayer, HelixPlayer

Code execution hole haunts RealPlayer, HelixPlayer

Summary: RealNetworks has issued a security fix for a gaping hole in its flagship RealPlayer software but, strangely, the company has not issued a security advisory to warn its millions of customers.

SHARE:
TOPICS: Security
6

RealNetworks has issued a security fix for a gaping hole in its flagship RealPlayer software but, strangely, the company has not issued a security advisory to warn its millions of customers.

Code execution hole haunts RealPlayer, HelixPlayer

Instead, the required warning came from the researchers at iDefense Labs who found a remotely exploitable security hole affecting both RealPlayer and HelixPlayer.

The last security warning on RealNetworks' security page dates back to March 22, 2006.

From the iDefense advisory:

Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user.

The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows.

A successful exploit requires that an attacker lure a RealPlayer/HelixPlayer user to open a maliciously crafted SMIL file. This can be done by simply convincing the target to visit a malicious Web page.

iDefense said it confirmed the bug in version 10.5-GOLD of RealNetworks' RealPlayer and HelixPlayer. Older versions are assumed to be vulnerable.

The company confirmed that RealNetworks addressed this vulnerability by releasing fixed versions of their software.

RealNetworks has not provided iDefense with any links referring to updated packages or advisories. Installing the latest version from their web site will address the vulnerability.

To ensure your RealPlayer software is patched, use the Tools menu and select Check for Update.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • Who use RealPlayer anyway?

    Not me!
    Grayson Peddie
    • Right, but...

      I'm sure that although a lot of people don't use it, they have a vulnerable version sitting on that machine in the basement. Ditto WinZip, QuickTime, etc.

      _ryan
      Ryan Naraine
      • Well I don't use WinZip.

        For the reason that I just use Windows' zip/unzipping utility.

        As for QuickTime, I'm not sure if Windows Media Player have been attacked yet. Plus, I rarely go to any websites that only have QuickTime files like for demonstration or anything. Thus, I rarely use QuickTime.
        Grayson Peddie
        • Where have you been hiding? Mars?

          [i]"I'm not sure if Windows Media Player have been attacked yet"[/i]

          A short list for you.....

          http://secunia.com/product/1085

          http://www.microsoft.com/technet/security/Bulletin/MS06-005.mspx

          http://www.us-cert.gov/cas/techalerts/TA06-045A.html
          bportlock
    • Once upon a time, I did.

      But then the decision makers at Real lost their minds and:

      1. Put Real icons EVERYWHERE on your PC. Quick Launch, Start Menu, Pinned Start Menu, System Tray, Desktop, web browser toolbar buttons, and in all context menus.

      2. Included that godawful RealPlayer news feature that couldn't be turned off, which kept popping up "Critical Information!" news, that always turned out to be a pitch for something they wanted to sell you.

      3. Took over all media file associations, whether you wanted it to or not, and did it every time you started up RealPlayer.

      It's been at least 8 years since I uninstalled RealPlayer, and I don't see me going back to it any time soon.
      Hallowed are the Ori
  • Using Real Player's "check for updates" didn't update

    The free Real Player was installed on one machine I was patching last night, so I used its "Check for Updates" feature. It "updated" to version 10.x/6.0.12.1578, which was the same version number that another machine which hasn't been updated for several months had on it.

    It's possible that Real has only patched their paid-for player and is leaving users of the free player twisting in the wind.
    bugmenot2