INFORMATION BULLETIN

S-368: RealNetworks Vulnerabilities

[07252008]

August 20, 2008 16:00 GMT


PROBLEM:	RealPlayer contains a buffer overflow vulnerability that may allow an attacker to execute code on a vulnerable system.
PLATFORM:	Windows RealPlayer 11 (11.0.0 - 11.0.2 builds 6.0.14.738 - 6.0.14.802 RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741 RealPlayer 10 RealPlayer Enterprise MAC Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503) Mac RealPlayer 10 (10.0.0.305 - 352) Linux Linux RealPlayer 10
DAMAGE:	Execute arbitrary code.
SOLUTION:	Upgrade to the appropriate version.

VULNERABILITY ASSESSMENT:	The risk is MEDIUM. BY convincing a user to visit a website, a remote attacker may be able to execute arbitrary code.

CVSS 2 BASE SCORE: TEMPORAL SCORE: VECTOR:	7.5 6.2 (AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:OF/RC:C)

LINKS:
CIAC BULLETIN:	http://www.ciac.org/ciac/bulletins/s-368.shtml
ORIGINAL BULLETIN:	http://service.real.com/realplayer/security/07252008_player/en/
ADDITIONAL LINKS:	http://www.zerodayinitiative.com/advisories/ZDI-08-046/ http://www.kb.cert.org/vuls/id/298651 http://www.kb.cert.org/vuls/id/461187
CVE:	CVE-2007-5400

[***** Start 07252008 *****]

RealNetworks, Inc. Releases Update to Address Security Vulnerabilities.

Updated August 14, 2008

RealNetworks is making available product upgrades that contain security bug fixes.

RealNetworks is updating the RealPlayer 11 build (11.0.3) announced on July 25th to include components for localized versions of the release that were not included in the original update. The new build, known as RealPlayer 11.0.3a, should be installed for any non-U.S. English versions of RealPlayer 11.

RealPlayer 11.0.3 of the U.S. language version did address all security bug fixes as intended from the July 25th post.

RealNetworks recommends that if you have installed a product version listed in the table below, you upgrade your product to the current version of the product.

Affected Software: (Please see below for details of potential vulnerabilities).

Windows

Software	Affected?	Language	Update Needed?
RealPlayer 11 (Version11.0.3 build 6.0.14.806 for US-EN and version 11.0.3a for all others)	No	All Supported	No
RealPlayer 11 (11.0.0 - 11.0.2 builds 6.0.14.738 - 6.0.14.802	By #1	All Supported	Yes
RealPlayer 10.5 (6.0.12.1675) *	No	All Supported	No
RealPlayer 10.5 (6.0.12.1040-6.0.12.1663, 6.0.12.1698, 6.0.12.1741	By all	All Supported	Yes
RealPlayer 10	By all	All Supported	Yes
RealPlayer Enterprise	By all	English	Yes

Note: To see your Player version number (6.0.x.xxxx), select Help > About in the RealPlayer menu.

* due to Windows Vista compatibility issues, version numbers are now not sequential for RealPlayer 10.5

Software	Affected?	Language	Update Needed?
Rhapsody 4	No	All Supported	No

Note: To see your Rhapsody version number (build 0.xxx), select Help > About in the Rhapsody menu.

Mac

Software	Affected?	Language	Update Needed?
Mac RealPlayer 11	No	All Supported	No
Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503)	By #3	All Supported	Yes
Mac RealPlayer 10 (10.0.0.305 - 352)	By #3	All Supported	Yes

Note: To see your Player version number (10.0.0.xxx), select About in the RealPlayer menu.

Linux

Software	Affected?	Language	Update Needed?
Linux RealPlayer 11	No	All Provided	No
*Helix Player (11.)**	No	All Provided	No
Linux RealPlayer 10	By #3	All Provided	Yes
*Helix Player (10.)**	No	All Provided	No

Note: To see your Player version number (10.0.0.xxx), select Help > About in the RealPlayer menu.

Handheld Devices

Software	Affected?	Language	Update Needed?
Nokia Series60 Handsets	No	English	No
RealPlayer for Palm	No	English	No
RealOne Player for Palm	No	English	No

Instructions

Windows Players:

If you are on Windows XP orVista, please click here to download RealPlayer 11 from the web.

If you are on Windows 2000, Windows ME or Windows 98SE, you may get the security updates in the most recent version of RealPlayer 10.5 by following the instructions below.

RealOne Player (English only), RealOne Player V2, RealPlayer 10 and RealPlayer 10.5 customers require a full download to correct this issue. Please use the following steps to upgrade your Player:

1. In the Tools menu select Check for Update.

2. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component.

Click Install to download and install the update

RealPlayer 8 (version 6.0.9.584) customers please use the following steps to upgrade your Player:

1. Go the Help menu.

2. Select Check for Update.

3. Select the box next to the "RealPlayer 10.5 with Harmony? Technology" component.

4. Click Install to download and install the update.

RealPlayer Enterprise Solution:

"RealPlayer Enterprise product updates are available on your PAM site. For additional information regarding RealPlayer Enterprise please click here."

RealPlayer for Mac OS X:

RealPlayer 10 for Mac OS X customers need to get the latest player to address this security issue. Please click here to upgrade your RealPlayer 11.

Linux Players:

Please click here to get an updated RealPlayer 11 for Linux.

Details for Potential Vulnerabilities:

Vulnerability 1:

The identified vulnerability is a RealPlayer ActiveX controls property heap memory corruption. CVE-2008-1309

Vulnerability 2:

The identified vulnerability is a Local resource reference vulnerability in RealPlayer. CVE-2008-3064

Vulnerability 3:

The identified vulnerability is a RealPlayer SWF file heap-based buffer overflow. CVE-2007-5400

Vulnerability 4:

The identified vulnerability is a RealPlayer ActiveX import method buffer overflow. CVE-2008-3066

Acknowledgements:

RealNetworks would like to acknowledge Dyon Balding, Elazar Broad, CERT/CC, Haifei Li and Peter Vreugdenhil working with TippingPoint for bringing these exploits to our attention as well as those who subsequently worked with RealNetworks to correct the vulnerabilities.

Warranty:

RealNetworks Inc. endeavors to provide you with the highest quality products and services, but cannot guarantee, and does not warrant, that the operation of any RealNetworks product will be error-free, uninterrupted or secure. Please see your original license agreement for details of our limited warranty or warranty disclaimer.


[***** End 07252008 *****]

CIAC wishes to acknowledge the contributions of RealNetworks, Inc. for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]