Critical RealPlayer Vulnerabilities Revealed

RealNetworks has published a security advisory disclosing critical vulnerabilities in its RealPlayer line of products, many of which can be exploited to execute arbitrary code.

The problem affects versions older than RealPlayer SP 1.1.5 and RealPlayer 2.1.3 for Windows. The latest stable and unaffected version of RealPlayer SP is 1.1.5 Build 12.0.0.879, which was released at the beginning of July.

It's not clear why this advisory was published three months later, but it's a good reminder to update for users who haven't done so already.

The RealNetworks advisory lists seven security issues, but vulnerability research vendor Secunia claims that there are in fact eleven.

According to Secunia, "one has an unknown impact and others can be exploited by malicious people to compromise a user's system."

RealNetwork notes that five of the disclosed vulnerabilities affect supported RealPlayer versions up to 1.1.4 and four of them also affect RealPlayer Enterprise 2.1.2.

Five of the vulnerabilities were reported through TippingPoint's Zero Day Initiative program, four were discovered by researchers from Secunia, while two are credited to Microsoft Vulnerability Research (MSVR).

Many of the flaws can be exploited remotely through malformed audio, video or playlist files. This exposes users to drive-by download attacks.

Secunia rates the security impact of this advisory as highly critical and US-CERT also issued an alert about it, encouraging users and administrators to upgrade.

RealPlayer SP is a free multimedia player with streaming, online radio, CD burning and media organizing capabilities.

The Internet streaming feature brought it a great deal of popularity during the 90's, but for the past five years its market share dropped considerably in favor of Windows Media Player or the open source VLC.

However, some people and enterprises still use it for proprietary RealMedia formats: RealAudio (*.ra, *.rm), RealVideo (*.rv, *.rm, *.rmvb), RealPix (*.rp), RealText (*.rt), RealMedia Shortcut (*.ram, *.rmm).

The latest version of RealPlayer can be downloaded here.