Security researchers have identified a serious flaw in the RealPlayer multimedia software program that could be exploited remotely via malware attacks.
According to an advisory posted by research firm Secunia on Friday, experts have isolated a “design error” related to the handling of frames in the program’s Shockwave Flash (SWF) files that could potentially be exploited to cause heap-based buffer overflows.
The issue is rated by Secunia as “highly critical,” the fourth most severe rating on its five-scale vulnerability ranking system.
Successful exploitation of the issue could allow an attacker to execute arbitrary code and subsequently compromise an affected endpoint system running an affected iteration of RealPlayer, according to the report.
The research firm said that the vulnerability has been confirmed in RealPlayer 10.5 versions thus far, but warned that it may also exist in other releases of the software.
While RealNetworks has not issued a patch for the vulnerability as of yet, the company is expected to soon release a new version of the multimedia program that will address the problem, Secunia said.
Security vulnerabilities continue to haunt multimedia applications as the QuickTime and VLC streaming prgrams have also reported serious issues in recent months.
The newly-announced RealPlayer vulnerability is only the latest in a long string of security problems isolated in the program over the last several years. Since 2006 alone, Secunia has posted advisories on a half dozen critical flaws in the popular multimedia platform.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.
