Security Warning: RealPlayer and RealOne

  • Thread starter Thread starter Jay Calvert
  • Start date Start date
[For Public Release]
-----BEGIN PGP SIGNED MESSAGE-----



__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities
[040928]

October 1, 2004 17:00 GMT Number O-223
______________________________________________________________________________
PROBLEM: The updates protect against the following possible exploits:

1) Fashioning an RM file which corrupts the Player when run from
a local drive;
2) Fashioning a web page with malformed calls, corrupting the
embedded Player;
3) Fashioning a web page and a media file to allow deletion.

PLATFORM: Windows:
RealPlayer 10.5 (6.0.12.1040) English
RealPlayer 10.5 Beta (6.0.12.1016) English
RealPlayer 10 All Supported languages
RealOne Player v1, v2 All supported languages
RealPlayer 8, by vulnerability #1, All supported languages
RealPlayer Enterprise, by vulnerability #1, English

MacIntosh:
Mac RealPlayer 10 Beta, by vulnerability #1, English
Mac RealOne Player, by vulnerability #1, English

Linux:
Linux RealPlayer 10, by vulnerability #1, English
Helix Player, by vulnerability #1, English

DAMAGE: 1 & 2) Might allow an attacker to execute arbitrary code on a
user's machine;
3) Might allow deletion of a file in a path known to the
attacker.
SOLUTION: Install the available updates.
______________________________________________________________________________
VULNERABILITY The risk is LOW. There are currently no active exploits. The
ASSESSMENT: attacker must entice a user to either open a malicious
file or visit a web site hosting a malicious file.
______________________________________________________________________________
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-223.shtml
ORIGINAL BULLETIN: RealNetworks, Inc. 040928
http://service.real.com/help/faq/security/040928_player/EN/
______________________________________________________________________________



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBQV3YZ7nzJzdsy3QZAQGK2gP+I6pN+aBoDNjSxFYiEQXUmtZ+7XmBFbWu
1qU0V2M/zGLShZKqI5/rCbklI/YRGZsIB+G4LSxw8zcIjOO+hNcd6c/6T/2+C7OC
G/xYWs7f1mIkh6hke3SPA+sYr6NX69jxrYif0w+WrrZuNiiZ98iKxB9WsEbeuwYx
akQJb0tVFzU=
=PoEd
-----END PGP SIGNATURE-----
CIAC LIST: 12


| Hey all, thanks for the interest in the site, here's another warning you
| should read. Could become a major exploit
|
| RealOne and RealPlayer has 3 new flaws that could be exploited soon.
| http://habaneronetworks.com/viewArticle.php3?ID=33
|
|
| Thanks again
| Jay Calvert
|
|
 
David H. Lipman said:
[For Public Release]
-----BEGIN PGP SIGNED MESSAGE-----



__________________________________________________________

The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________

INFORMATION BULLETIN

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities
[040928]

October 1, 2004 17:00 GMT Number O-223____________________________________________________________________________
__
PROBLEM: The updates protect against the following possible exploits:

1) Fashioning an RM file which corrupts the Player when run from
a local drive;
2) Fashioning a web page with malformed calls, corrupting the
embedded Player;
3) Fashioning a web page and a media file to allow deletion.

PLATFORM: Windows:
RealPlayer 10.5 (6.0.12.1040) English
RealPlayer 10.5 Beta (6.0.12.1016) English
RealPlayer 10 All Supported languages
RealOne Player v1, v2 All supported languages
RealPlayer 8, by vulnerability #1, All supported languages
RealPlayer Enterprise, by vulnerability #1, English

MacIntosh:
Mac RealPlayer 10 Beta, by vulnerability #1, English
Mac RealOne Player, by vulnerability #1, English

Linux:
Linux RealPlayer 10, by vulnerability #1, English
Helix Player, by vulnerability #1, English

DAMAGE: 1 & 2) Might allow an attacker to execute arbitrary code on a
user's machine;
3) Might allow deletion of a file in a path known to the
attacker.
SOLUTION: Install the available updates.
____________________________________________________________________________
__
VULNERABILITY The risk is LOW. There are currently no active exploits. The
ASSESSMENT: attacker must entice a user to either open a malicious
file or visit a web site hosting a malicious file.
____________________________________________________________________________
__
LINKS:
CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-223.shtml
ORIGINAL BULLETIN: RealNetworks, Inc. 040928
http://service.real.com/help/faq/se..._____________________________________________
__



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBQV3YZ7nzJzdsy3QZAQGK2gP+I6pN+aBoDNjSxFYiEQXUmtZ+7XmBFbWu
1qU0V2M/zGLShZKqI5/rCbklI/YRGZsIB+G4LSxw8zcIjOO+hNcd6c/6T/2+C7OC
G/xYWs7f1mIkh6hke3SPA+sYr6NX69jxrYif0w+WrrZuNiiZ98iKxB9WsEbeuwYx
akQJb0tVFzU=
=PoEd
-----END PGP SIGNATURE-----
CIAC LIST: 12


| Hey all, thanks for the interest in the site, here's another warning you
| should read. Could become a major exploit
|
| RealOne and RealPlayer has 3 new flaws that could be exploited soon.
| http://habaneronetworks.com/viewArticle.php3?ID=33
|
|
| Thanks again
| Jay Calvert
|
|
Click to expand...

Yep.
 
Back
Top