RealNetworks issues critical patch

Fix addresses flaws that could allow remote attacks and infections of malicious code on PCs and Macs.

RealNetworks issued a critical patch Thursday to address three flaws that could allow a hacker to launch a remote attack to run malicious code on a user's computer.

The company issued an update to address flaws in Windows versions of RealPlayer 10.5 and RealPlayer 10, RealOne Player v2 and v1, RealPlayer 8 and RealPlayer Enterprise.

Also affected are Apple's Mac version of RealPlayer 10, as well as Linux versions of RealPlayer 10 and Helix Player.

One flaw could allow a remote attacker to craft a malformed .rm movie file and trigger a buffer overflow, which allows the attacker to run arbitrary code on a user's computer and take control of it, according to eEye Digital Security, which discovered two of the flaws.

A second vulnerability could allow a buffer overrun to occur in a third-party compression library, a component within RealPlayer used to decompress skin files. A skin is used to change the look of a application, in this case RealPlayer.

A third vulnerability involves a RealPlayer compressed, or zipped, skin file that could lead to a buffer overflow and an attacker remotely executing code to take over a user's computer.

Security company NGS Software also aided in the discovery of the flaws.

RealNetworks noted it has received no reports of computers being compromised as a result of these vulnerabilities.

But in September, it issued a patch to address a variety of flaws in its RealPlayer and Helix Player. The patch came several days after exploit code had been published that could take advantage of the vulnerabilites.

Featured Video

2016 Cadillac CTS-V will terrify you, but you'll love every minute

With 640-horsepower just a toe twitch away, Cadillac's supercharged CTS-V is scary powerful, but balances that with sublime control.

by Antuan Goodwin