Real Player Struck By Massive Security Hole - P2P-Zone

JackSpratts · 07-02-04, 08:18 PM

System Access Just One Song Away

Kieren McCarthy

Media player Real Player - one of the most used pieces of software on the Internet - has been struck by several highly critical vulnerabilities that could allow a malicious user system access to your PC.

Jouko Pynnönen and Mark Litchfield of NGSSoftware have discovered that by creating altered media and Real Media files (with the filenames .rp, .rt, .ram, .rpm and .smil) it is possible to cause a buffer overflow and run code on the user’s PC.

All the user would have to do is click on the link and the file’s author would be able to run whatever program they liked on the host PC. This is not good.

Thankfully, the discoverers informed Real and kept schtum until the company had produced a patch, which was made available today. The issue affects virtually all the company’s players including RealPlayer 8, RealPlayer 10, RealOne Player v1, RealOne Player v2 and RealOne Enterprise Desktop.

It is strongly advised, therefore, that anyone with a Real Player click on the Tools menu and “Check for Update” to download the necessary patches. The problem though - as ever - is how many people will, how long it will take them and how much trouble can be created in the meantime.

A huge percentage of Real users make sure that automatic updating is turned off due to the company's constant efforts to get them to upgrade to a pay-for version of the player. Even if the update check is run, the 9MB update to fix the vulnerabilities is not very clearly flagged and doesn't appear to be very important. Real, it seems, still has much to learn about how to deal with security holes.

For more info visit Real’s site here, or NGSSoftware’s page on the problem here.
http://www.techworld.com/news/index....ews&NewsID=986

07-02-04, 08:18 PM	#1
JackSpratts Join Date: May 2001 Location: New England Posts: 10,018	Real Player Struck By Massive Security Hole *System Access Just One Song Away* Kieren McCarthy Media player Real Player - one of the most used pieces of software on the Internet - has been struck by several highly critical vulnerabilities that could allow a malicious user system access to your PC. Jouko Pynnönen and Mark Litchfield of NGSSoftware have discovered that by creating altered media and Real Media files (with the filenames .rp, .rt, .ram, .rpm and .smil) it is possible to cause a buffer overflow and run code on the user’s PC. All the user would have to do is click on the link and the file’s author would be able to run whatever program they liked on the host PC. This is not good. Thankfully, the discoverers informed Real and kept schtum until the company had produced a patch, which was made available today. The issue affects virtually all the company’s players including RealPlayer 8, RealPlayer 10, RealOne Player v1, RealOne Player v2 and RealOne Enterprise Desktop. It is strongly advised, therefore, that anyone with a Real Player click on the Tools menu and “Check for Update” to download the necessary patches. The problem though - as ever - is how many people will, how long it will take them and how much trouble can be created in the meantime. A huge percentage of Real users make sure that automatic updating is turned off due to the company's constant efforts to get them to upgrade to a pay-for version of the player. Even if the update check is run, the 9MB update to fix the vulnerabilities is not very clearly flagged and doesn't appear to be very important. Real, it seems, still has much to learn about how to deal with security holes. For more info visit Real’s site here, or NGSSoftware’s page on the problem here. http://www.techworld.com/news/index....ews&NewsID=986

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode