RealNetworks issues critical patch

Fix addresses flaws that could allow remote attacks and infections of malicious code on PCs and Macs.

Dawn Kawamoto Former Staff writer, CNET News

Dawn Kawamoto covered enterprise security and financial news relating to technology for CNET News.

Dawn Kawamoto

Nov. 11, 2005 12:29 p.m. PT

2 min read

RealNetworks issued a critical patch Thursday to address three flaws that could allow a hacker to launch a remote attack to run malicious code on a user's computer.

The company issued an update to address flaws in Windows versions of RealPlayer 10.5 and RealPlayer 10, RealOne Player v2 and v1, RealPlayer 8 and RealPlayer Enterprise.

Also affected are Apple's Mac version of RealPlayer 10, as well as Linux versions of RealPlayer 10 and Helix Player.

One flaw could allow a remote attacker to craft a malformed .rm movie file and trigger a buffer overflow, which allows the attacker to run arbitrary code on a user's computer and take control of it, according to eEye Digital Security, which discovered two of the flaws.

A second vulnerability could allow a buffer overrun to occur in a third-party compression library, a component within RealPlayer used to decompress skin files. A skin is used to change the look of a application, in this case RealPlayer.

A third vulnerability involves a RealPlayer compressed, or zipped, skin file that could lead to a buffer overflow and an attacker remotely executing code to take over a user's computer.

Security company NGS Software also aided in the discovery of the flaws.

RealNetworks noted it has received no reports of computers being compromised as a result of these vulnerabilities.

But in September, it issued a patch to address a variety of flaws in its RealPlayer and Helix Player. The patch came several days after exploit code had been published that could take advantage of the vulnerabilites.