• On The Insider: Kim Kardashian Goes Au Natural
advertisementSamsung phones only from AT&T
advertisement
October 4, 2004 7:11 AM PDT

RealPlayer 10 beta, RealOne Player for Mac OS X affected by security issue

by CNET staff

eEye Digital Security says it discovered a critical vulnerability in RealPlayer. The vulnerability allows a remote attacker to reliably overwrite heap memory with arbitrary data and execute arbitrary code in the context of the user who executed the player.

A statement reads "This specific flaw exists within the pnen3260.dll file used by RealPlayer. By specially crafting a malformed .rm movie file along with a SMIL file, a direct heap overwrite is triggered, and reliable code execution is then possible."

In the case of Mac OS X, users only vulnerable if they play a local Real media file in either Real Player 10 Beta or RealOne Player.

RealNetworks has since released a patch for this vulnerability. The patch is available via the "Check for Update" menu item under the application menu (RealOne Player) in the menu bar. Real Player 10 (non-beta) is not affected by this issue.

Feedback? Late-breakers@macfixit.com.

Resources

  • discovered
  • Late-breakers@macfixit.com
  • More from Late-Breakers
    • Topics:

    News,

    Troubleshooting

    Tags:

    Late-Breakers

    Recent posts from MacFixIt
    The OS X 10.7 buzz starts--something big in the next release?
    MacFixIt Answers
    Safari still crashing after update?
    Safari 5.0.1 update fixes black Mail backgrounds, autofill, and more
    Making the switch to Apple? Get the perfect setup
    Apple releases OS X 10.6.4 update for iMacs; trackpad driver
    CNET Apple Byte: iPhone to T-Mobile?
    iTunes not connecting to the iTunes store after updating
    Add a Comment (Log in or register) (4 Comments)
    • prev
    • next
    by FriscoFrog October 4, 2004 11:07 AM PDT
    I have RealOne Player v. 9.0 When I tried getting the patch using the "Check for Update" I got message that software is up to date. No patch available. Also strange that they didn't advise me that RealPlayer 10 is available for download.
    Reply to this comment
    by PSmith October 4, 2004 11:23 AM PDT
    Check For Updates, which is under "RealPlayer" (not "Tools") in the OS X
    menubar, tells me that my RealPlayer 10 is "up to date," no patch offered for
    download.
    Reply to this comment
    by Demolition October 4, 2004 12:00 PM PDT
    According to the most recent Real security update
    document
    (http://service.real.com/help/faq/security/040928_player/
    EN/), RealPlayer 10 for Mac OS X appears to be
    unaffected by the vulnerabilities.

    The RealPlayer 10 Beta is subject to one of the three
    exploits described, however.

    D.
    Reply to this comment
    by hamarkus October 5, 2004 3:24 AM PDT
    RealPlayer 10 fixed UI oddities I had with www.bbc.co.uk/worldservice with Mozilla.
    But although it fixed some UI problems with www.couleur3.ch, it doesn't play anything there at all anymore (could also be a Java-related problem, i.e. changes on the site or with 1.4.2 Update 2).
    Reply to this comment
    (4 Comments)
    • prev
    • next
    Reviews & advice
    Site map
    Editorial policies
    Meet the editors
    How we test
    Forums
    Internet speed test
    Popular topics
    Apple iPhone
    Apple iPod
    Cell phones
    CES 2010
    GPS
    LCD TV
    CNET sites
    CNET Site map
    CNET TV
    Downloads
    News
    Reviews
    Shopper.com
    More information
    Newsletters
    CNET Mobile
    CNET Widgets
    Customer Help Center
    RSS
    CNET API
    About CNET
    sponsored