February 6, 2004
(IDG News Service)
RealNetworks Inc.'s media player software contains vulnerabilities that could let an attacker take control of a PC on which the software is used to download multimedia files, the company confirmed this week.
Corrupt files posing as normal music and video files could allow an attacker to gain control of the downloader's computer, although RealNetworks stressed in a statement that, as far as it is aware, this has not yet happened.
There are three vulnerabilities: Files could be created that will open on the user's browser a Web site from which remote JavaScript can be operated; files could be created that let an attacker download and use his code on a user's machine; or media files could be created that will create buffer overrun errors.
The problems have been fixed, and RealNetworks advised users to download updates from its Web site.
The affected applications are RealOne Player, RealOne Player Version 2 for Windows only (all languages), RealOne Player 8, RealPlayer 10 Beta (English only) and RealOne Enterprise Desktop or RealPlayer Enterprise (all versions, stand-alone and as configured by the RealOne Desktop Manager or RealPlayer Enterprise Manager).
The vulnerabilities were discovered in December by Next Generation Security Software Ltd. (NGSS) in Sutton, England. RealNetworks responded reasonably quickly to the discovery, a spokesman for NGSS said. "Some vendors take up to a year," he said.