Galaxy Z Flip 4 Preorder Quest 2: Still the Best Student Internet Discounts Best 55-Inch TV Galaxy Z Fold 4 Preorder Nintendo Switch OLED Review Foldable iPhone? 41% Off 43-Inch Amazon Fire TV
Want CNET to notify you of price drops and the latest stories?
No, thank you

RealNetworks says RealPlayer bug won't sting

The company is testing a fix for a software glitch in its streaming media player but disputes claims that the bug poses a security risk.

RealNetworks said it is testing a fix for a software glitch in its streaming media player but disputed claims that the bug poses a security risk.

The problem has to do with the way the player handles unusually long Web addresses. In current versions of the player, an address of more than 299 characters will crash the application.

Web addresses with 300 characters may not seem like the most likely pitfall on the Web. But in a "buffer overflow" exploit, said to be the world's most common software glitch, the extra-long address is a springboard for potential attacks on a victim's computer.

In a buffer overflow, the attacker floods a field, typically an address bar, with more characters than will fit. The excess characters in some cases can be run as "executable" code, giving the attacker control of the computer without the constraints of security measures.

RealNetworks said it is testing a patch for the bug. The company denied, however, that the bug poses more than a nuisance to users.

"It's a bug, and we do not believe it's a security risk at all," said Steve Banfield, general manager of the RealPlayer group at RealNetworks. "If it is, it has never been exploited to our knowledge."

The person who discovered the bug acknowledged that he had not produced a demonstration of an exploit. But he said the behavior of the bug made it appear likely that it would present a security hazard.

"The scary thing is that by looking at the dump output when you crash, it looks like it would be able to execute arbitrary code," said Adam Muntner, the security enthusiast who posted news of the bug to the Bugtraq security mailing list. "It should be trivial to do that."

RealNetworks said the parameters of the software hole made a security attack an unlikely scenario.

"Based on our analysis, it would be almost impossible for someone to do that," Banfield said. "You can't guarantee where you're going at that point (after the application crashes from the overflow). Even if you could, it's a tiny overflow area--only a couple hundred bytes."

RealNetworks will post either a patch or an updated version of the player to its Web site tomorrow.