All the latest UK technology news, reviews and analysis
|
|
|
27 Jun 2005
Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.
Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.
The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.
The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'.
A hacker could also entice a user to play a movie by promising 'appealing' content.
The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.
A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.
The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory.
A third flaw for which Real provided a fix allows criminals to create an mp3 music file that overwrites files on a user's system or execute ActiveX controls.
Microsoft's ActiveX allows applications to be downloaded and installed on a system. PCs that have XP Service Pack 2 installed get a warning before any ActiveX code is executed.
The final flaw uses the default settings in earlier version of Internet Explorer. It allows a malicious website to create a file and then trigger a RealMedia file to access that file. Real did not provide any additional information about the flaw.
Users require either a patch or need to download and install a new version of the software. Users can find out whether their software requires an update and download the fixes here.
None of the reported flaws affect Real's media players for Nokia mobile phones or Palm OS handheld computers, the company said.
Latest stories from Security
Related jobs
Poll
What is the most important IT priority for your company this year?
Connect with V3.co.uk
This paper focuses on a series of best practices and techniques for development teams looking to improve their software development processes
Why good data management at all levels is essential in the modern business (video, 6mins)
My client is a well established, non profit organisation;...
PHP Web Developer – £30,000 - £35,000 PHP, MySQL, HTML...
HEAD OF DIGITAL - London - £80-95K + Excellent Bens...
Agile C# Developer - (North London) £55,000 - £65,000...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?