Gaping holes in RealPlayer patched

Gaping holes in RealPlayer patched

Summary: Digital media delivery firm RealNetworks has shipped a high-prority patch to cover four gaping holes in its flagship RealPlayer software, warning that the vulnerabilities could put users at risk of code execution attacks.The patch comes a few hours after Secunia released an advisory warning for one of the vulnerabilities, a heap-based buffer overflow caused by a design error within RealPlayer's handling of frames in Shockwave Flash (SWF) files.

SHARE:
16

RealPlayer patches 4 serious flawsDigital media delivery firm RealNetworks has shipped a high-prority patch to cover four gaping holes in its flagship RealPlayer software, warning that the vulnerabilities could put users at risk of code execution attacks.

The patch comes a few hours after Secunia released an advisory warning for one of the vulnerabilities, a heap-based buffer overflow caused by a design error within RealPlayer's handling of frames in Shockwave Flash (SWF) files.

According to RealNetworks, at least one of the four bugs affects all platforms -- Windows, Mac OS X and Linux.

[ SEE: IE users beware: RealPlayer zero-day flaw under attack ]

Details are only available for these two vulnerabilities:

  • CVE-2008-1309: The RealAudioObjects.RealAudio ActiveX control in rmoc3260.dll 6.0.10.45 in RealNetworks RealPlayer 11.0.1 build 6.0.14.794 does not properly manage memory for the Console property, which allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via a series of assignments of long string values, which triggers an overwrite of freed heap memory.  CVSS Base Score 9.3.
  • CVE-2007-5400: The vulnerability is caused due to a design error within the handling of frames in Shockwave Flash (SWF) files and can be exploited to cause a heap-based buffer overflow.  Successful exploitation may allow execution of arbitrary code.

In its advisory, RealNetworks also lists CVE-2008-1309, a RealPlayer ActiveX controls property heap memory corruption; and CVE-2008-3064, a local resource reference vulnerability.

Topics: Hardware, Mobility, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Real is feeling threatened by Apple

    Real doesn't want to lose its title of "Least Secure Media Platform Ever Released" to QuickTime. How anyone can allow either of these programs on their computer is beyond me. You are practically [b]begging[/b] to get pwned.
    NonZealot
    • Realplayer is not needed anymore.

      I do have Quicktime installed to a isolated programs folder on my regular user account along with Pidgin and other less secure software. I also uninstall the Apple updater software (I update it manually) and removable device support. I still find the need for Quicktime simply because of it's prevalence on some sites I visit.

      I don't know of any sites that use Realplayer for videos anymore. Most have moved to Flash and either WMV or Quicktime.
      soonerproud
      • Some sites still do

        The ones I've seen are European sites - an example is the BBC website. Some of their content is streamed using Real. Fortunately they also use Windows media format as an alternative in each case. Thankfully they're beginning to use more flash content.
        eMJayy
  • Message has been deleted.

    php_developer
  • RealNetworks???

    What planet are you in?

    Don't bother bloggin' it... :D

    LOL!
    Grayson Peddie
  • Contrary to the other posters here, I like Real Player

    It's convenient for ripping CDs into MP3 format. Windows Media Player always tries to save CDs into its own proprietary WMA format, which I don't want. Real is also good for managing my music collection. It can open some files that the other major media players may not be able to, and it can record streaming content from websites -- not just progressive download content -- but true streaming content including live streams.

    The ads aren't as bad as they used to be either.

    I used to be a big Quicktime fan, but no more, especially after itunes (something I stay away from) got so popular and the distinction between the two became blurred.
    K B
    • There is better software to do that.

      Real Player is so bad that it is its own virus ecosystem. Easy CD-DA will rip all the CDs to MP3 you could want at different bit rates. I hardly ever run into anything needing a ra or ram extension that doesn't have a wma or wmv alternative. Real Player isn't a player anymore.
      osreinstall
    • WMP

      Can easily be changed to rip cd's in the mp3 format by default.

      Go to the RIP tab and click on the tiny arrow below the tab button and select "More Options". (This is also found in the menu under "Tools, Options, Rip Music".) Browse down to the "Rip settings" section and change it to mp3. Then go down and use the slider to select the bit rate. I suggest 192 or 256 for the best balance of file size and quality.

      WMP11 does a good job of managing music files and VLC is a much better option for opening any multimedia file format not covered by WMP.

      Realplayer is worse than Quicktime when it comes to vulnerabilities. Not to mention that it is being called badware by some security sites for it's practices in installation and removal.
      soonerproud
  • RE: Gaping holes in RealPlayer patched

    Is real player alternative affected by any of this? (see: http://www.free-codecs.com/download/real_Alternative.htm)
    b_pratt@...
  • That company still in business? How?

    How is Real still in business? No one I know uses real player for anything. MPC does a great job playing real media, and without the spyware, nagware and bloatware garbage that Real shovels into your PC.
    kraterz
  • RE: Gaping holes in RealPlayer patched

    I had been using RealPlayer's very easy downloader for YouTube videos and such. It was simple; the little bar would appear and one just had to click to download.

    Around the end of June/early July downloads would suddenly stop and the message "Realnetworks.exe has encountered an error and needs to close". This would occur whether in IE 7 or Firefox.

    Upon going on their forums, there were literally hundreds, possibly thousands, of people complaining of this or like behavior. After getting just stock and useless answers, many of us began demanding that the software either be turned on its head, junked or discontinued.

    I suppose this has something to do with the sudden problem of RealPlayer's downloader? I suppose I shall have to apply the patches and see, but my respect for anything released by this company has plummeted to 0.

    And even if I tried to make WMP my default, the command would never "take" and realplayer always appeared instead. Who produced this piece of crap?
    EBathory
  • RE: Gaping holes in RealPlayer patched

    Why all the sarcastic remarks about ways to protect those who prefer using RealPlayer?
    Choice is what makes the world go around! :)
    millerdn
  • RE: Gaping holes in RealPlayer patched

    Why all the sarcastic remarks? If some people prefer using RealPlayer leave them be! Freedom of choice is what makes the world go around! Relax!! :)
    millerdn
  • Realplayer patches

    Two things my computer does [b]WITHOUT;[/b]

    Realplayer
    Flash
    fatman65535
    • It's Funny You Say That....

      Because the "FIX" for these security issues is to upgrade to RealPlayer 11.0.4 Build 6.0.14.806 and now one of the requirements is Flash version 8.x or later.

      I guess they are using Flash for their video now. One less reason to have RealPlayer.
      dunn@...
  • People are still using this kludge??? <NT>

    People are still using this kludge??? <NT>
    Hempman