RealNetworks Addresses Security Problems

RealNetworks has issued a security patch for a number of its products to address vulnerabilities that could allow for remote execution of code on devices running the software.

The company said that it has not been advised of any known exploitations of the flaws, which are present in its RealPlayer multimedia application Version 10.4 and 10.5 for Windows, and in both its RealPlayer 10.4 and Helix Player 1.4 for Linux.

Real recommended that customers using those products immediately upgrade to a current version of RealPlayer or Helix.

Among the four individual vulnerabilities detailed by the company, at least one could theoretically allow for execution of a program on computers running the affected products.

Another issue involves a malicious flash media (.swf) file, which the firm said could cause a buffer overrun on a customers machine.

/zimages/3/28571.gifClick here to read about a recent RealPlayer vulnerability.

A third problem pertains to the potential for attacking the programs using a specially crafted Web page which could lead to a heap overflow in the applications embedded multimedia player.

The fourth issue disclosed by Real involves use of a malicious mimio file to cause a buffer overrun on an exploited machine.

Security researchers at iDefense, among the first to detail the issue publicly, issued an advisory to address the heap overflow problem specifically. Using the vulnerability, attackers could execute arbitrary code in the context of the individual currently logged onto the device.

The security company reported that the problem specifically exists in Reals handling of the “chunked” Transfer-Encoding method, which breaks the file a server is sending into pieces.

iDefense said there are multiple ways of triggering the vulnerability, each of which result in a heap overflow.

The company also offered a workaround for users of Reals affected products, which involves the disablement of certain Active X controls in the software.

iDefense said that to successfully exploit an end users device, an attacker would need to first lure the individual into clicking on a link to a server under the outsiders control. As a result, the company advised Real users to be on the lookout for malicious links and not to visit unknown Web sites.

Real dealt with a slew of serious security vulnerabilities in its programs at the end of 2005, releasing multiple updates to help its customers protect themselves against outside attacks.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.