Hi Ryan,
Thanks for posting about these security issues. We're trying to get the word out, too. One thing I just want to flag is that none of the current versions of RealPlayer are affected by any of these bugs. Regardless, it's always best to run the latest version.
Thanks,
Lacy Kemp @ RealNetworks
If you still have the RealPlayer software on your machine, now might be a good time to uninstall it. If you really need to keep it (why?), it’s definitely time to apply the latest update to avoid malicious hacker attacks.
RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.
Some raw details:
- CVE-2010-2996: RealPlayer malformed IVR pointer index code execution vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
- CVE-2010-3002: RealPlayerActiveX unauthorized file access vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
- CVE-2010-0116: RealPlayer QCP files parsing integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
- CVE-2010-0117: RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
- CVE-2010-0120: RealPlayer QCP parsing heap-based buffer overflow vulnerability.
- Affected software: Windows RealPlayer SP 1.1.4 and prior.
- CVE-2010-3001: RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
- Affected software: Windows RealPlayer SP 1.1.4 and prior.
- CVE-2010-3000: RealPlayer FLV parsing multiple integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
Details on affected RealPlayer versions are available in this RealNetworks advisory.
