Plug-in flaw leaves RealPlayer users open to attack

RealNetworks issues a patch for a security flaw in one of its plug-ins that could let an attacker gain control of computers running any of several versions of the company's popular media player software.

Michael Kanellos Staff Writer, CNET News.com

Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.

See full bio

Michael Kanellos

April 8, 2004 4:54 p.m. PT

RealNetworks has issued a patch for a security flaw in one of its plug-ins that could let an attacker gain control of computers running any of several versions of the company's popular media player software.

The problem involves a buffer overflow that affects the R3T media plug-in. For people who download the plug-in and use RealPlayer 8, RealOne Player, RealOne Player v2 for Windows, RealPlayer 10 Beta (English only) or RealPlayer Enterprise, their computer can be overpowered by an attacker, who can then insert surreptitious code and use it to execute other actions.

RealPlayer 10 Gold is not affected, the company said, because it removes the plug-in during installation.

"While we have not received reports of anyone actually being attacked with this exploit, and though the percentage of players with this plug-in is very small, all security vulnerabilities are taken very seriously by RealNetworks," the company said in a statement posted on its site this week.

Although hackers and virus writers have often focused on attacking Microsoft, other popular software programs are not immune. Executives at security companies often assert that one of the main criteria for some attackers is the size of the target audience. Real identified three similar flaws in February.

Ways to fix the flaw, and more information on it, can be found here.