A Holey Reality

Three security holes found in the popular RealOne media player has put
millions of users at the mercy of attackers, Seattle-based RealNetworks
warned Tuesday.

The company confirmed the bugs in its flagship digital media software, which
is used by approximately 115 million users, could let an attacker execute
arbitrary code on vulnerable systems and urged that patches be installed.

The RealOne Player, RealOne V2 Player and the earlier RealPlayer are
affected, said NGSSoftware, which
reported the flaws to RealNetworks.

The first buffer overrun flaw was found in a smil file where there is a large
number of characters in metadata of that file. This causes the player to crash when
trying to play that smil file. “The bug was fixed by fixing the player
status code to handle the cases where there are large number of characters
in metadata of a smil file,” RealNetworks said.

The company, which competes directly with Microsoft’s
Windows Media Player for command of the digital media delivery market, said
it had not received reports of anyone actually being attacked with the
exploit.

The second security vulnerability is a problem with large file names whether
on local/rtsp or http url. RealNetworks said the player would crash if a
user right clicks in ‘Now Playing’ and selects edit clip info or right click
in “Now Playing” and selects copy to my Library.


The third and most serious of the three is described as a parsing error in
the player code associated with loading sources within RealFlash
presentations. This could theoretically be used by hackers to adversely
affect users, the company warned.

NGSSoftware said hackers could exploit the hole by sending a link to a file
or Web page with malicious code. When the file is processed through
RealPlayer, it could either crash the multimedia software or allow access to
a victim’s machine.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web