RealPlayer Patch Fails to Fix Flaws

Real Networks fails to close three security holes in its RealOne, RealPlayer media players.

There are three serious flaws in the popular RealOne and RealPlayer media players that allow an attacker to run code on remote users machines.

Real Networks Inc. issued a patch for these flaws, but it was subsequently found to not fix the problem and was supposed to be removed from the companys Web site. However, as of 2:45 EST Friday, the patch was still accessible.

The company is working on another fix, which may not be available until early next week.

The first vulnerability occurs when a user clicks on a link to a SMIL (synchronized multimedia integration language) file. The Real software attempts to automatically download and play the content. But if an attacker supplied an overly long parameter within the SMIL file, this would cause a heap overflow in Realplay.exe.

The second vulnerability results when a user tries to download and play a file with an overly long filename parameter. When the user tries to play the file, a heap overflow occurs.

The third problem lies in the way the players handle some overly long file names. If a user downloaded such a file and then right-clicked in the "Now Playing" field and selected "Edit clip info" or "Select copy to my library," it would cause a stack overflow.

An attacker exploiting these flaws would be able to run code in the context of the user, according to Mark Litchfield of Next Generation Security Software Ltd., who discovered the flaws and notified Real Networks, based in Seattle, of the problems. NGSS issued a bulletin on the problems Friday.

Litchfield also said that the RealOne Enterprise Desktop is vulnerable to the last two of these attacks.

Real on Thursday posted to its Web site an advisory and a patch for these vulnerabilities. However, after some testing, Litchfield discovered that the patch didnt fix all of the issues it was meant to address.