RealNetworks closes several security holes

With updated versions of RealPlayer, RealOne Player and Helix Player, RealNetworks resolves several critical vulnerabilities which allow attackers to use specially crafted media files to inject and execute malicious code on computers. The crafted files can be deployed on web pages or by email.

According to Real's advisory, attackers can use specially crafted mp3, rm, SMIL, swf, ram and pls media files to cause buffer overflows and execute malicious code by manipulating the application's stack and heap. Security expert Piotr Bania has released more detailed advisories about the flawed processing of .mov files. He describes how attackers can use specially crafted files to manipulate the application's heap and cause memory corruption, gaining access to the processor's instruction pointer, through which they can execute the injected code.

Numerous versions of the Player software for Windows, Mac OS X and Linux are affected. RealNetworks has released updates for download and advises users to install them at their earliest convenience.

See also:

• RealNetworks, Inc. Releases Update to Address Security Vulnerabilities, RealNetworks summary of affected versions and download links
• Download the updated version of RealPlayer for Windows Vista
• Download the updated version of RealPlayer and RealOne Player for Windows
• Download the updated version of RealPlayer Enterprise Solution
• Download the updated version of RealPlayer for Mac OS X
• Download the updated version of RealPlayer for Linux
• Download the updated version of Helix Player
• RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Corruption, security advisory by Piotr Bania
• RealNetworks RealPlayer/RealOne Player/Helix Player Remote Memory Corruption, error report by Piotr Bania

(mba)