RealNetworks issues critical patch

Fix addresses flaws that could allow remote attacks and infections of malicious code on PCs and Macs.

RealNetworks issued a critical patch Thursday to address three flaws that could allow a hacker to launch a remote attack to run malicious code on a user's computer.

The company issued an update to address flaws in Windows versions of RealPlayer 10.5 and RealPlayer 10, RealOne Player v2 and v1, RealPlayer 8 and RealPlayer Enterprise.

Also affected are Apple's Mac version of RealPlayer 10, as well as Linux versions of RealPlayer 10 and Helix Player.

One flaw could allow a remote attacker to craft a malformed .rm movie file and trigger a buffer overflow, which allows the attacker to run arbitrary code on a user's computer and take control of it, according to eEye Digital Security, which discovered two of the flaws.

A second vulnerability could allow a buffer overrun to occur in a third-party compression library, a component within RealPlayer used to decompress skin files. A skin is used to change the look of a application, in this case RealPlayer.

A third vulnerability involves a RealPlayer compressed, or zipped, skin file that could lead to a buffer overflow and an attacker remotely executing code to take over a user's computer.

Security company NGS Software also aided in the discovery of the flaws.

RealNetworks noted it has received no reports of computers being compromised as a result of these vulnerabilities.

But in September, it issued a patch to address a variety of flaws in its RealPlayer and Helix Player. The patch came several days after exploit code had been published that could take advantage of the vulnerabilites.

Featured Video