RealPlayer haunted by 'critical' security holes

RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.

If you still have the RealPlayer software on your machine, now might be a good time to uninstall it.   If you really need to keep it (why?), it's definitely time to apply the latest update to avoid malicious hacker attacks.

RealNetworks has shipped a critical update to address multiple vulnerabilities, some serious enough to allow a remote, unauthenticated attacker to execute arbitrary code or obtain sensitive information.

Some raw details:

  • CVE-2010-2996: RealPlayer malformed IVR pointer index code execution vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
  • CVE-2010-3002: RealPlayerActiveX unauthorized file access vulnerability. Affected software: Windows RealPlayer 11.1 and prior.
  • CVE-2010-0116: RealPlayer QCP files parsing integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-0117: RealPlayer processing of dimensions in the YUV420 transformation of MP4 content vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-0120: RealPlayer QCP parsing heap-based buffer overflow vulnerability.
  • Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-3001: RealPlayer ActiveX IE Plugin vulnerability opening multiple browser windows.
  • Affected software: Windows RealPlayer SP 1.1.4 and prior.
  • CVE-2010-3000: RealPlayer FLV parsing multiple integer overflow vulnerability. Affected software: Windows RealPlayer SP 1.1.4 and prior.

Details on affected RealPlayer versions are available in this RealNetworks advisory.