[GLLUG] RealNetworks vulnerability

Stanley C. Mortel mortel at cyber-nos.com
Wed Jun 29 13:31:29 EDT 2005 

Since this affects LInux and looks serious, I thought I'd post it here even 
though security stuff isn't put on this list.  I really don't have any idea 
if anyone uses RealPlayer on their Linux box anyway, but.......

RealNetworks plugs security holes in player
By <mailto:news at asia.cnet.com>Joris Evers, CNET News.com
24/6/2005
URL: 
<http://www.zdnetasia.com/news/security/0,39044215,39238823,00.htm>http://www.zdnetasia.com/news/security/0,39044215,39238823,00.htm 


Several security holes in RealNetworks' widely used media player software 
could put PCs at risk of attack, the company has warned.

Four vulnerabilities in RealPlayer have been discovered, the most serious 
of which could allow an intruder to gain control of a computer, 
<http://www.realnetworks.com/>RealNetworks said in a security advisory 
posted Thursday. Software updates are now available to plug the holes, the 
company said.

Security experts from the French Security Incident Response Team, or 
FrSIRT, labeled the problems as "critical"--the highest rating--in 
<http://service.real.com/help/faq/security/050623_player/EN/>an alert 
issued Thursday.

The problems exist in current and some older releases of 
<http://www.zdnetasia.com/news/software/0,39044164,39185007,00.htm>RealPlayer, 
and they affect versions for Windows as well as Mac OS and Linux, 
RealNetworks said. In addition, one of the newly patched bugs also is found 
in Rhapsody 3, the software used in RealNetworks' music service.

Three of the four flaws could be exploited using a malicious media file, 
RealNetworks said. Specially crafted RealMedia and AVI files could allow an 
attacker to take over a user's computer, while a malicious MP3 file could 
be used to overwrite local files or execute ActiveX controls, it said.

To take advantage of the fourth flaw, a hacker would need to build a 
malicious Web site. However, the attack would require the user to be 
running earlier versions of Internet Explorer with standard settings on the 
computer, RealNetworks said.

RealNetworks' updates are available in its 
<http://service.real.com/help/faq/security/050623_player/EN/>advisory for 
all affected products and recommends that people install the newer versions.



Also:  http://service.real.com/help/faq/security/050623_player/EN/
****************************
Stan Mortel
mortel at cyber-nos.com
****************************

More information about the linux-user mailing list