Wednesday, July 30, 2008

Real partially patches 'highly critical' RealPlayer flaws

Security firm Secunia said Tuesday that RealNetworks had fixed most of the security flaws within its RealPlayer software that were first highlighted on Friday.

Four separate issues were discovered within most versions of RealPlayer 10, 10.5, and 11 across the Linux, Mac, and Windows platforms. While the company released the patch on Monday, which Secunia noted in its advisory, the firm said the fix was not complete.

The issue still not fully patched is related to an error in the rmoc3260 ActiveX control "when handling the 'Controls,' 'Console,' or 'WindowName' properties with a specific timing."

Attackers who exploit this flaw could cause a memory corruption, which could be used to expose sensitive information stored on the affected machine.

Secunia seems to indicates that the other three flaws are now fixed. They include: an unspecified error which can be used to reference local resource, an error in how frames are handled in SWF files, and a boundary error in the file rjbdll.dll which can be used to cause a stack buffer overflow.

In all cases, attackers could use the flaws to execute arbitrary code, the firm said. RealPlayers users can update the software by using the "check for update" function in Windows, while Mac and Linux users should download the latest version of Real's software from its Web site.

  • Google Gadgets for Linux appears
  • Torvalds attacks IT industry ’security circus’
  • Novell in beta with subscription management tool
  • Microsoft prepares to auto-deliver Windows Search 4.0 to Vista users