After finding a vulnerability in its Helix Universal Server 9 platform, RealNetworks Inc. has issued a security warning for its customers.
The vulnerability is a root exploit where certain types of character strings appear in large numbers within the URLs destined for a server’s protocol parsers, the Seattle-based company said in an sever exploit vulnerability alert posed on its Web site.
Along with the Server 9 platform, earlier versions of the server including RealSystem Server 8, 7 and RealServer G2, are also vulnerable to the security flaw, which could see attackers gaining access to users’ systems.
Customers are being told to remove the RealNetworks View Source plug-in from the /Plugins directory – vsrcplin.so and vsrcplin.dll – and to restart the server process.
The View Source Plug-in is responsible for reading and displaying file format headers of media files accessible to the file systems loaded by the server, the company said in the alert.
RealNetworks said the removal of the View Source Plug-in would not obstruct live streaming delivery or logging and authentication services but content browsing would be disabled.
While the removal of the View Source Plug-in is what the company calls a work-around for this issue, the company is working towards a more permanent solution by making a new version of the Helix Universal Server. The newer version will be available to all current customers, RealNetworks said.
Real’s proxy products are not vulnerable to the exploit.
Real Networks is online at www.realnetworks.com. The alert can be found at www.service.real.com/help/faq/security/rootexploit082203.html.