Patch Released for 'Highly Critical' RealPlayer Flaw

RealNetworks has released a security patch to fix a flaw in its RealPlayer software that could allow compromised code to be run on users computers. The flaw, which was rated "highly critical" by Secunia, is in the most recent versions of the software for both Windows and OS X. Also, Secunia said that some of the older Linux versions were at risk for the flaw.

"RealNetworks has received no reports of machines compromised as a result of the now-remedied vulnerabilities," the company said on its website. "RealNetworks takes all security vulnerabilities very seriously."

For those interested in an alternative to RealPlayer: CleanSoftware.org lists Real Alternative

Freeware : Windows
Checked: version 1.29

Real Alternative will allow you to play RealMedia files without having to install RealPlayer or RealOne Player from Real Networks. Supports content embedded in web pages, RealAudio (.ra .rpm), RealMedia (.rm .ram .rmvb .rpx .smi .smil), RealText (.rt), and ReadPix (.rp). Comes packaged with Media Player Classic (MPC) and codecs.

I haven't tested it, but it may be a viable alternative to Real Player (which many people consider spyware).

More Information:

Viral movies possible with RealPlayer flaw
Published: October 1, 2004, 4:25 PM PDT
By Robert Lemos
Staff Writer, CNET News.com
TrackBackPrintE-mailTalkBack
A software slipup in RealNetworks' music player means that Windows, Mac and Linux computers could be compromised by a fake movie file, a security company said Friday.

The problem means that fake movie files could be created that, when played by vulnerable Real software, would run a program instead. The flaw appears in RealPlayer 10 for Windows and Mac OS X, the RealOne Player for Windows and Mac OS X and the Real Helix Player for Linux.

"Anyone who has RealPlayer is affected, and there are many people with RealPlayer," said Marc Maiffret, chief hacking officer at software security company eEye Digital Security, the company that discovered the security issue.

RealNetworks could not immediately be reached for comment.

RealNetworks has issued patches for the flaw.

The flaw occurs in a component of Real's software that handles Real movie files with the .rm extension, according to eEye's advisory.

Similar to the recent flaw in Windows applications that handle the JPEG image format, this vulnerability affects a widespread piece of software and could be used to create a virus.

"It's similar to the JPEG flaw in the sense that just by viewing the file, or having the file 'force viewed' through a Web browser, your system can be compromised," Maiffret said. "I think both this JPEG vulnerability and the RealPlayer vulnerability are good examples of a type of threat that is becoming more prevalent: client-side vulnerabilities."

Rather than finding a security hole in the operating system and gaining direct access to a computer, attackers are now increasingly looking at exploiting widely used applications.

"Most security software...is not able to defend itself well against these client-based vulnerabilities, leaving companies with few alternatives other than patching," Maiffret said.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.