Security holes haunt RealPlayer

Real patches critical flaws in media file software

Tom Sanders in California

vnunet.com, 27 Jun 2005

Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.

Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.

Advertisement

The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.

The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'. 

A hacker could also entice a user to play a movie by promising 'appealing' content.

The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.

A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.

The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory

A third flaw for which Real provided a fix allows criminals to create an mp3 music file that overwrites files on a user's system or execute ActiveX controls.

Microsoft's ActiveX allows applications to be downloaded and installed on a system. PCs that have XP Service Pack 2 installed get a warning before any ActiveX code is executed.

The final flaw uses the default settings in earlier version of Internet Explorer. It allows a malicious website to create a file and then trigger a RealMedia file to access that file. Real did not provide any additional information about the flaw.

Users require either a patch or need to download and install a new version of the software. Users can find out whether their software requires an update and download the fixes here

None of the reported flaws affect Real's media players for Nokia mobile phones or Palm OS handheld computers, the company said.

  • Have your say
  • Send to a friend
  • Print
  • Digg
  • Reddit
  • Share

Tags:

Do you agree?

Have your say on this article

Further reading

Related whitepapers

Related jobs

Most watched

HTC Hero

Hands on with the HTC Hero

V3.co.uk gets a walk through of the Hero, which includes HTC's new Sense overlay for Android

Xperia X1

Video Review: Sony Ericsson Xperia X1

First Looks Editor Ian Williams gets hands on with the Sony Ericsson Xperia X1

More video

IT white papers

Search white papers

Top categories

Poll

Poll: Summer smartphones

Poll: Summer smartphones

Which smartphone will you be taking to the beach this summer?

View poll results

Advertisement

Advertisement

Newsletter signup

Sign up for our range of FREE newsletters:

  • More available - 'submit' to view

Existing User

Newsletter user login:

Enter email address to edit your newsletter preferences

Job of the week

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Hiring now on ComputingCareers:

Related IT jobs

More IT jobs

Search thousands of IT jobs :

Search thousands of IT jobs:

Advanced search

Spotlight

HTC Hero

Hands on with the HTC Hero

V3.co.uk gets a walk through of the Hero, which includes...

NetGear ReadyNAS NVX

Review: NetGear ReadyNAS NVX

NetGear's four-bay compact network-attached storage gets a serious speed boost

AMD

AMD adds to six-core Opteron line up

New HE processors promise even lower power consumption

Adobe Systems

Adobe launches ColdFusion 9 and ColdFusion Builder

Firm promises enhanced developer productivity

Primary Navigation