Real Networks has fixed four serious security vulnerabilities in its Real, Rhapsody and Helix media players.
Two of the security holes put users at risk of buffer overflow attacks just by playing a media file.
Security holes haunt RealPlayer
Real patches critical flaws in media file software
vnunet.com, 27 Jun 2005
Advertisement
The first vulnerability uses the .avi movie file format to overwrite a compromised PC's heap memory, which in turn allows hackers to take control of a system.
The vulnerability can be triggered by a webpage containing a movie configured to start playing automatically, according to an advisory from eEye, the security consultancy that first reported the vulnerability. It ranks the severity as 'high'.
A hacker could also entice a user to play a movie by promising 'appealing' content.
The flaw affects most RealPlayer software for Windows as well as Rhapsody, which is used for Real's subscription music service.
A similar attack method can be used to exploit another flaw in RealPlayer for OS X, Windows and Linux as well as the Helix Player for Linux.
The method uses a flaw in RealText that is part of the RealMedia file format, which again allows a hacker to take over a system, security experts from iDefense warned in a security advisory.
A third flaw for which Real provided a fix allows criminals to create an mp3 music file that overwrites files on a user's system or execute ActiveX controls.
Microsoft's ActiveX allows applications to be downloaded and installed on a system. PCs that have XP Service Pack 2 installed get a warning before any ActiveX code is executed.
The final flaw uses the default settings in earlier version of Internet Explorer. It allows a malicious website to create a file and then trigger a RealMedia file to access that file. Real did not provide any additional information about the flaw.
Users require either a patch or need to download and install a new version of the software. Users can find out whether their software requires an update and download the fixes here.
None of the reported flaws affect Real's media players for Nokia mobile phones or Palm OS handheld computers, the company said.
Tags:
Further reading
Related whitepapers
Related jobs
Most read stories
Most commented stories
Most watched
Analysis and Reports
Remote access - Three steps to getting connected
3.4 million UK professionals now work from home – is your company equipped?
Cost benefits of a global collaboration network
This white paper is a must read for organisations looking for evidence of the bottom-line benefits of high-definition video and voice communications
Advertisement
White paper library
Keep up to date with the latest products, services and technologies from the world's leading IT companies; IThound.com brings you over 6,000 white papers, case studies and analyst reports.
Latest white papers
- The world of voice conferencing: A guide to creating the right environment
- The hidden financial and environmental costs of office printing
- Simplifying communications, serving citizens: unified communications in local government
- Storage choices for virtual server environments
- Global security threats trends - September 2009
Advertisement
Hiring now on ComputingCareers:
Advertisement
Spotlight
V3.co.uk Information Overload Summit starts today
We've finally cut the ribbon on V3.co.uk's inaugural Summit event...
Comment: Three steps to a social media strategy
Monitor, register and engage, says communications adviser Dirk Singer
Summit: Is the ECM industry up to the information overload challenge?
In part one of our report, we talk to EMC...
Summit: UK 'in danger of being left behind' on security
Experts warn behavioural monitoring is essential to protect sensitive data
Advertisements
Secondary navigation
Do you agree?
Have your say on this article