14 DAY TRIAL // RealNetworks has patched a number of 27 vulnerabilities affecting RealPlayer 11, RealPlayer SP and RealPlayer Enterprise, most of which allow for remote code execution and carry a critical security risk.
Many of the vulnerabilities are buffer overflows that are triggered when parsing malformed files of different formats.
Fifteen of them were reported by various researchers through TippingPoint's Zero Day Initiative (ZDI) program, two by researchers from TippingPoint's own DVLabs division, three by Secunia Research, five by VUPEN and two by iDefense Labs.
All 27 flaws affect RealPlayer 11.0 - 11.1, 25 affect RealPlayer SP 1.0 - 1.0.1, 24 RealPlayer SP 1.0.2 - 1.1.1, 21 RealPlayer SP 1.1.2 - 1.1.4 and 11 RealPlayer SP 1.1.5.
RealPlayer 14.0.1.609 for Windows, which was released at the end of November is not vulnerable to any of these security issues and users are strongly encouraged to upgrade to it.
RealPlayer Enterprise users are advised to install version 2.1.4, because 2.1.2 and 2.1.3 are vulnerable to 13 and 4 of the flaws, respectively.
Similarly, Mac RealPlayer 11.0 - 11.1 is affected by 14 vulnerabilities, while version 12.0.0.1444 by 6. Mac RealPlayer users are encouraged to upgrade to version 12.0.0.1548.
As far as the Linux flavor goes, Linux RealPlayer 11.0.2.1744 is vulnerable to 20 of the disclosed bugs and patches are available in version 11.0.2.2315.
It seems that RealNetworks was notified of some of these vulnerabilities over six months ago, but focused on getting RealPlayer 14 out first.
RealPlayer gained much popularity during the '90s because it was one of the first players with media streaming capabilities.
However, in recent times, its market share has dropped considerably in favor of other open source alternatives, like VLC, that don't bundle third-party toolbars and components.
Because RealPlayer integrates with browsers, many of these flaws can be exploited remotely by calling a malformed file from a website, an attack known as a drive-by download.