RealPlayer 10.5 Security Issues

[jimmalenko]

All RealPlayer Users at Risk from Malformed Movies and Music
Severity: Medium
23 June, 2005

Summary:
This afternoon, eEye Digital Security and RealNetworks warned of multiple vulnerabilities affecting RealPlayer 10.5 (and earlier versions) running on Windows, Linux, and Mac platforms. By enticing one of your users into opening a malformed movie, an attacker can exploit the worst of these vulnerabilities to execute code on your user's computer, with the user's privileges. If your users have local administrative privileges, the attacker could gain total control of their machines. If you allow the use of RealPlayer in your network, have your users upgrade the application as soon as possible.

Exposure:
RealPlayer and RealOne Player are widely-used software for Internet media delivery. RealOne Player plays virtually every major Internet media format, including Windows Media, Quicktime, MPEG-4, and even DVDs. If you've watched streaming videos on the Internet, or listened to music samples while buying CDs online, you've probably encountered RealPlayer.

WatchGuard does not recommend using RealPlayer or RealOne Player, partly because both contain automatic communication features which, by default, let RealNetworks and RealNetwork's "partners" (such as NASCAR and CNN) control what software they install on your client computers. But let's face reality: many of your users have probably installed one of these products, with or without your permission.

In an alert released today, eEye Digital Security warned of a new buffer overflow vulnerability affecting RealPlayer 10.5 and earlier versions running on Windows. The flaw resides in vidplin.dll, a Dynamic Link Library (dll) that RealPlayer uses to process AVI movies. By enticing one of your users into opening a maliciously crafted AVI movie, an attacker can exploit this vulnerability to execute code on your user's computer, with the user's privileges. In most cases, an attacker could exploit this to gain full control of a machine running RealPlayer.

Besides the buffer overflow vulnerability, RealNetwork's alert also warns of three more security flaws affecting RealPlayer when running on Windows, Linux, and Mac platforms. RealNetworks doesn't describe these vulnerabilities in much detail, but they do warn that the flaws involve malicious MP3 files, RealMedia files, or maliciously crafted Web pages. Furthermore, an attacker can exploit the worst of these flaws to execute code with the same repercussions as mentioned above.

Solution Path:
RealNetworks has released updates to correct these vulnerabilities. Clients who use RealPlayer 10.5 or earlier on Windows, Linux, and Mac platforms should upgrade immediately. RealNetworks provides differing upgrade paths, depending on your version of RealPlayer. To learn how to update your specific version, see the "UPDATES" section of RealNetwork's alert.

For All WatchGuard Users:
Your users could encounter the malicious files (AVI, MP3, and RealMedia) used to exploit these vulnerabilities from many places. An attacker might attach them to an e-mail, host them on a Website, or even offer them on an FTP server. Your users might accidentally download them from Peer-to-Peer networks or even news servers.

In theory, you could use your WatchGuard Firebox's SMTP and HTTP proxy to prevent your users from downloading these types of files via Websites or e-mail. However, many administators prefer to allow AVI and MP3 files into their network. Even if you blocked their arrival via SMTP and HTTP, these types of files might still find their way into your network through other protocols. To completely protect your network from this vulnerability, either have your users remove RealPlayer, or apply the upgrades above.

Status:
RealNetworks has issued a Security Update that fixes the problem.

References:
eEye Digital Security Alert

Real Media Security Alert

This alert was researched and written by Corey Nachreiner.

See http://www.securityfocus.com/archive/1/403202/30/0/threaded for the issued alert.

[BJ_M]

anyone using REALPLAYER deserves to be hacked anyway ...


If you think about - quicktime also does the same thing just about ..

[CuCuy]

I'm an ardent supporter of both Quicktime Alternative, and Real Alternative.

[thecoalman]

I stopped installing RealPlayer about 3 or 4 years because the last time I did it installed a whole buch of shit with it.

[Nilfennasion]

Nothing much has changed. It is still a mediocre video player that installs a whole big bunch of crap you do not need. Kind of like Windows Media Player, except Real are a bit less clandestine about it. Oh, and the crap they do install actually does something... just not anything you actually need.