‘Critical’ Security Hole in Real’s Helix Server

Digital media frontrunner RealNetworks has issued a
warning for a root exploit vulnerability in its Helix Universal Server 9

The security flaw could potentially allow attackers to gain system access
and execute arbitrary code, according to an alert from RealNetworks.

Independent security consultants Secunia has tagged a ‘highly critical’
rating on the vulnerability, which affects RealServer G2, RealSystem Server
7, RealSystem Server 8 and the Helix Universal Server 9.x.

The flaw exists in the way the “vsrcplin.so” and “vsrcplin.dll” plugins
handle long requests. As a temporary workaround, RealNetworks said users
should remove the View Source plug-in from the /Plugins directory and
restart the server process.

“Removal of this plug-in will not hinder on-demand or live streaming
delivery or logging and authentication services of the product. With the
plug-in removed however, the Content Browsing feature will be disabled,” the
company explained. A patched version of the Helix Universal Server will be
released soon.

The Helix Universal Server, which is a key component of the company’s
strategy to embrace open-source developers, provides support for live and
on-demand delivery of all major file formats (including Real Media, Windows
Media, QuickTime, MPEG 4 and MP3).

Separately, RealNetworks reported a security hole in its flagship RealOne
Player which
can be exploited by attackers to execute arbitrary code.

The vulnerability, which carries a ‘moderately critical’ rating,
affects the RealOne Player, RealOne Enterprise Desktop and RealOne Desktop

RealNetworks said the vulnerability is caused due to an unspecified error
in the handling of SMIL files. The hole can be exploited to
execute script code in the context of an arbitrary domain by constructing a
specially crafted SMIL file and tricking a user into executing it.

A new version of the RealOne Player is available via the “Check for
Update” feature. Fixed version of the RealOne Desktop Manager and RealOne
Enterprise Desktop have also been released.

News Around the Web