Code execution hole haunts RealPlayer, HelixPlayer

RealNetworks has issued a security fix for a gaping hole in its flagship RealPlayer software but, strangely, the company has not issued a security advisory to warn its millions of customers.

Instead, the required warning came from the researchers at iDefense Labs who found a remotely exploitable security hole affecting both RealPlayer and HelixPlayer.

The last security warning on RealNetworks' security page dates back to March 22, 2006.

From the iDefense advisory:

Remote exploitation of a buffer overflow within RealNetworks' RealPlayer and HelixPlayer allows attackers to execute arbitrary code in the context of the user.

The issue specifically exists in the handling of HH:mm:ss.f time formats by the 'wallclock' functionality within the code supporting SMIL2. An excerpt from the code follows.

A successful exploit requires that an attacker lure a RealPlayer/HelixPlayer user to open a maliciously crafted SMIL file. This can be done by simply convincing the target to visit a malicious Web page.

iDefense said it confirmed the bug in version 10.5-GOLD of RealNetworks' RealPlayer and HelixPlayer. Older versions are assumed to be vulnerable.

The company confirmed that RealNetworks addressed this vulnerability by releasing fixed versions of their software.

RealNetworks has not provided iDefense with any links referring to updated packages or advisories. Installing the latest version from their web site will address the vulnerability.

To ensure your RealPlayer software is patched, use the Tools menu and select Check for Update.