Overdue patches published for RealPlayer
RealNetworks has released a monster update that closes an impressive 27 security holes in Windows RealPlayer 11.1. Other versions, such as RealPlayer SP, RealPlayer Enterprise and the Mac / Linux versions are also partially affected. Apparently the current RealPlayer 14.0 does not exhibit any of the vulnerabilities.
RealNetworks does not comment on the severity of the flaws in its announcement. Most of the holes are related to flaws in the handling of certain multimedia formats, which cause buffer overflows and other memory management problems. Such errors can often be exploited to inject and execute malicious code; in extreme cases, computers can be infected with spy software.
iDefense comes to a similar conclusion [1, 2]. A look at its advisories also explains why RealPlayer 14 is not vulnerable. RealNetworks was notified of some of the holes six months ago, but apparently waited until now to patch older versions after the patched version 14 was published at the end of October.
Those who still use a vulnerable RealPlayer should install the update immediately – or take the opportunity to uninstall the program if it is no longer in use. If left unpatched, it is a serious security risk.