RealNetworks patch fails to fix media player flaws

A RealNetworks Inc. security patch for its media player software is flawed, leaving millions of users at risk of attacks, a security researcher said Wednesday.

RealNetworks last week posted a software update on its Web site to fix three security flaws in the Windows versions of the RealOne Player and RealPlayer. An attacker could take over a computer running the media player software by encouraging a user to download a malformed file, RealNetworks said in a security advisory posted on its Web site last week. [Please see RealNetworks patches flaw in media player software.]

However, the software patch “does not do its job,” said Mark Litchfield, a security researcher with Next Generation Security Software Ltd. of Sutton, England, who discovered the flaws.

It is still possible to cause a buffer overrun by making a couple of simple modifications to the attacks on the software, Litchfield said. He alerted RealNetworks and is now helping the Seattle company come up with a fix that plugs the security holes, he said.

In a buffer overrun attack, an attacker exploits an unchecked buffer in a program to load his own code onto a system and run that.

RealNetworks confirmed in a statement sent via e-mail Wednesday that Litchfield is looking at a new security fix and that this new fix should be posted “shortly.” The company said it takes all buffer overrun bugs seriously, but added that Litchfield “has not been able to demonstrate how to exploit the buffer overruns for malicious intent.”

Litchfield expects RealNetworks will release an updated patch in “a day or two.” He has tested several new patches, but all were flawed. “The third one last night had only one overflow, so I am hoping they will have a final patch out in the next two days or so,” said Litchfield.

The original patch was not offered to Litchfield for testing, although he did offer to do that when he originally told RealNetworks about the flaws on Nov. 1, he said.

The RealNetworks advisory is at:

http://service.real.com/help/faq/security/bufferoverrun_player.html.


Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now