Menu
Real reveals six new bugs in RealPlayer

Real reveals six new bugs in RealPlayer

More problems for player used in ad server attack; Mac and Linux versions at risk

For the second time in eight days, new critical vulnerabilities that could be used to hijack machines have been fingered in the RealPlayer media player. The patched editions released last week for Windows, however, are not vulnerable to the half-dozen bugs, RealNetworks said.

Hard on the heels of the revelation that RealPlayer sported a major flaw and that the bug had been exploited by hackers who had compromised an ad server owned by 24/7 Real Media to spread malware to visitors of legitimate, trusted Web sites, RealNetworks posted information about the latest vulnerabilities.

All six bugs involve RealPlayer's problems parsing file formats and could be exploited by hackers who first crafted malicious files, then duped users into either opening those rigged files when they received them as e-mail attachments or visiting an attack site that hosted such files. Among the file types: .mov, .mp3, .rm, SMIL, .swf, .ram and .pl.

"Attackers can exploit these issues to execute arbitrary code in the context of RealPlayer," Symantec said in an alert. "Successful attacks can compromise the application and the underlying computer."

RealNetworks said that the most up-to-date Windows editions of RealPlayer 10.5 and beta Version 11 are immune to the attacks. Those versions were released last Friday (pacific time) when RealNetworks fixed a flaw in an ActiveX control it installed on systems running Internet Explorer. At least one of the newest flaws can also be traced to the ActiveX control.

Unlike last week's problem, however, four of the six vulnerabilities disclosed also can be exploited on Mac and Linux machines that have RealPlayer installed. Updated editions are also available for those operating systems, with links available from the security bulletin RealNetworks posted on its site.

Copenhagen-based vulnerability tracker Secunia ApS rated the six just-revealed RealPlayer bugs collectively as "highly critical," the second-highest mark it gives. Symantec rated the bugs separately, with at least one pegged as 8.5 out of a possible 10. But RealNetworks downplayed the risk. "We have received no reports of any machines actually compromised as a result of the now-remedied vulnerabilities," the company claimed.

It can't say the same for last week's vulnerability, which was used by unknown attackers to plant a Trojan horse on PCs whose owners had visited supposedly safe Web sites. The hackers had previously hijacked an ad server operated by Internet advertising company 24/7 Real Media Inc., then infected valid ads that 24/7 served to legitimate sites. When users viewed a page with an infected ad, their Internet Explorer browser was silently redirected to a malicious page from which the Trojan was downloaded and installed.

Although Symantec posted a detailed analysis of the RealPlayer vulnerability and the use of the compromised ad server, 24/7 Real Media has not responded to repeated e-mails this week seeking comment.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments