RealNetworks issues critical patch
Fix addresses flaws that could allow remote attacks and infections of malicious code on PCs and Macs.
The company issued an update to address flaws in Windows versions of RealPlayer 10.5 and RealPlayer 10, RealOne Player v2 and v1, RealPlayer 8 and RealPlayer Enterprise.
Also affected are Apple's Mac version of RealPlayer 10, as well as Linux versions of RealPlayer 10 and Helix Player.
One flaw could allow a remote attacker to craft a malformed .rm movie file and trigger a buffer overflow, which allows the attacker to run arbitrary code on a user's computer and take control of it, according to eEye Digital Security, which discovered two of the flaws.
A second vulnerability could allow a buffer overrun to occur in a third-party compression library, a component within RealPlayer used to decompress skin files. A skin is used to change the look of a application, in this case RealPlayer.
A third vulnerability involves a RealPlayer compressed, or zipped, skin file that could lead to a buffer overflow and an attacker remotely executing code to take over a user's computer.
Security company NGS Software also aided in the discovery of the flaws.
RealNetworks noted it has received no reports of computers being compromised as a result of these vulnerabilities.
But in September, it issued a patch to address a variety of flaws in its RealPlayer and Helix Player. The patch came several days after exploit code had been published that could take advantage of the vulnerabilites.