PROBLEM: | RealPlayer contains a buffer overflow vulnerability that may allow an attacker to execute code on a vulnerable system. |
PLATFORM: | Windows RealPlayer 11 (11.0.0 - 11.0.2 builds 6.0.14.738 - 6.0.14.802 RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741 RealPlayer 10 RealPlayer Enterprise MAC Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503) Mac RealPlayer 10 (10.0.0.305 - 352) Linux Linux RealPlayer 10 |
DAMAGE: | Execute arbitrary code. |
SOLUTION: | Upgrade to the appropriate version. |
VULNERABILITY ASSESSMENT: |
The risk is MEDIUM. BY convincing a user to visit a website, a remote attacker may be able to execute arbitrary code. |
CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR: |
7.5 6.2 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C) |
LINKS: | |
CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/s-368.shtml |
ORIGINAL BULLETIN: | http://service.real.com/realplayer/security/07252008_player/en/ |
ADDITIONAL LINKS: | http://www.zerodayinitiative.com/advisories/ZDI-08-046/ http://www.kb.cert.org/vuls/id/298651 http://www.kb.cert.org/vuls/id/461187 |
CVE: | CVE-2007-5400 |
[***** Start 07252008 *****]
RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.
Updated August 14, 2008
RealNetworks is making available product upgrades that contain security bug fixes.
RealNetworks is updating the RealPlayer 11 build (11.0.3) announced on July 25th to include components for localized versions of the release that were not included in the original update. The new build, known as RealPlayer 11.0.3a, should be installed for any non-U.S. English versions of RealPlayer 11.
RealPlayer 11.0.3 of the U.S. language version did address all security bug fixes as intended from the July 25th post.
RealNetworks recommends that if you have installed a product version listed in the table below, you upgrade your product to the current version of the product.
Affected Software: (Please see below for details of potential vulnerabilities).
Windows
|
Instructions
If you are on Windows XP or
If you are on Windows 2000, Windows ME or Windows 98SE, you may get the security updates in the most recent version of RealPlayer 10.5 by following the instructions below.
RealOne Player (English only), RealOne Player V2, RealPlayer 10 and RealPlayer 10.5 customers require a full download to correct this issue. Please use the following steps to upgrade your Player:
1. In the Tools menu select Check for Update.
2. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component.
Click Install to download and install the update
RealPlayer 8 (version 6.0.9.584) customers please use the following steps to upgrade your Player:
1. Go the Help menu.
2. Select Check for Update.
3. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component.
4. Click Install to download and install the update.
RealPlayer Enterprise Solution:
"RealPlayer Enterprise product updates are available on your PAM site. For additional information regarding RealPlayer Enterprise please click here."
RealPlayer 10 for Mac OS X customers need to get the latest player to address this security issue. Please click here to upgrade your RealPlayer 11.
Please click here to get an updated RealPlayer 11 for Linux.
Details for Potential Vulnerabilities:
The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption. CVE-2008-1309
The identified vulnerability is a Local resource reference vulnerability in RealPlayer. CVE-2008-3064
The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow. CVE-2007-5400
The identified vulnerability is a RealPlayer ActiveX import method buffer overflow. CVE-2008-3066
Acknowledgements:
RealNetworks would like to acknowledge Dyon Balding, Elazar Broad, CERT/CC, Haifei Li and Peter Vreugdenhil working with TippingPoint for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.
Warranty:
RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.
[***** End 07252008 *****]
Voice: +1 925-422-8193 (7 x 24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org