RealNetworks Fixes Security Holes

A flaw in the RealPlayer software allows malicious media files to run arbitrary code.

RealNetworks Inc. has patched security vulnerabilities in several versions of the RealPlayer client software.

According to an advisory on the companys Web site, the patches address three vulnerabilities in RealPlayer and the RealOne Player for Windows, Mac and Linux. RealNetworks recommends that users apply the updates through links on the advisory page. Real clients for handheld devices, specifically Symbian, Palm and Nokia Series 60, are not affected.

The most serious of the flaws affects only Windows versions of the player. This issue appears to have been reported to RealNetworks by eEye Digital Security, a security consulting firm with a history of finding serious security issues in Windows. This new problem resembles in many ways an earlier problem reported to RealNetworks by eEye. This problem would allow a malicious Web page to potentially execute arbitrary code in the context of the user running the player.

Another exploit also could allow the execution of arbitrary code through the use of a malicious .RM file executed from a local hard drive. The Mac and Linux versions are also vulnerable to this flaw.

A third vulnerability, which affects only Windows users, allows a malicious Web page and media file to delete a file on the users system if the path of the file is known.

RealNetworks says in the advisory that they are aware of no exploits of the reported problems.

28571.gif

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.

77042.gif

Be sure to add our eWEEK.com Security news feed to your RSS newsreader or My Yahoo page