RealPlayer Still Vulnerable to Attack

Real Networks has yet to successfully patch flaws found two weeks ago in its popular RealPlayer and RealOne software.

Nearly two weeks after posting a faulty patch for several security vulnerabilities in its ubiquitous RealPlayer and RealOne software, Real Networks Inc. has yet to release a working fix for the problems.

And, a security researcher said Tuesday that he has discovered five more vulnerabilities in the media players.

Mark Litchfield of Next Generation Security Software Ltd., who also discovered the three original Real flaws, said he has found five additional vulnerabilities in the RealPlayer and RealOne players. All of the new issues are buffer overruns and can be exploited remotely via code embedded in e-mail messages.

Litchfield has notified Real of some of the flaws and is currently in the process of writing proof-of-concept exploit code for the others before sending them to the Seattle-based company. He is working with Real Networks on fixes for the vulnerabilities.

The three vulnerabilities Litchfield identified last month are also buffer overruns, and an attacker exploiting one of them would be able to run code in the security context of the logged-on user. Real Networks released a patch for these vulnerabilities on Nov. 21, but later removed it from its Web site after Litchfield discovered it didnt entirely fix the flaws.

The RealPlayer and its newer cousin, RealOne, have more than 250 million registered users combined and are used widely in the enterprise as well as the consumer market.